Empire of the Iguanadons

So you've spent weeks, if not months, producing a nice shiny piece of new software for folks. You've gone to great lengths to work with others to make sure it's as secure as you can make it. You've got all kinds of validation, sanity checking, path checking, and other things included in your code. Everything seems to have paid off. Your package has been on the web for months, and nobody has reported a problem despite it being used in at least a few popular locations. Every attempt you've witnessed on your own sites indicates people out there are trying, but getting nowhere aside from one or two random incidents which you promptly patched up. The efforts have paid off so well that not even the usual flood of spambots that plagues other sites is affecting yours. At least until you discover a web posting with an ominous claim:



Yes, in case anyone is wondering, that's an actual advisory report for something I'm a part of. Or at least I'm a part of apps which are based on it. Do your own digging if you want the actual name, because aside from that lovely vague advisory, Secunia hasn't bothered to explain what it means. They didn't even bother to send that notice in the mail. They sent me an email a couple of weeks back saying they found a vulnerability. First off, the email they sent got dragged into my spam folder by Thunderbird. Secondly, after I dug it out, it was dated the same day as a previous advisory I had already cleared up in two products based on this, so I had no real reason to assume it was for anything other than that.

I don't know exactly how "responsible disclosure" is supposed to work, but the only email they sent privately looks like this:



That's hardly enough information to go on. I'm sure I really should be telling them this but I'm not feeling that charitable toward how they handled this right now. So they can consider this an open letter to work on their policy of informing project maintainers of issues in their software. Being blindsided by it because you ran into it in the public advisory posting doesn't really sit well. They'll probably make some sort of excuse about how I shouldn't have ignored them, but really, a too vague notification on the heels of having fixed an advisory already?

So anyway, as it turns out, there are 3 advisories pending. Two of which shouldn't be terribly difficult to patch up since they were specific enough to address. This last one though, with the vague XSS business, I can't do anything about that unless I know where to look. As many of you who visit regularly are developers yourselves, I'm sure you can appreciate the need for good bug reporting. Their advisory posting even indicates they only gave whoever they claim to have talked to 5 days after getting a response back.

I guess the point is, be clear about what you're contacting someone about. Give them the courtesy of a proper incident report. And for the love of God, give them more than 5 days to do something about it!

Also, it would seem they haven't followed their own damn policy on this either: http://secunia.com/research/policy/
.........................
"It is pointless to resist, my son." -- Darth Vader
"Resistance is futile." -- The Borg
"Mother's coming for me in the dragon ships. I don't like these itchy clothes, but I have to wear them or it frightens the fish." -- Thurindil

Well. I guess that's that then.

When I put in the wrong captcha it makes me do a new one, how do they solve it by brute force? I'd think one strike changes the challenge would be enough to defeat brute force altogether... or is it a matter of you just keep trying new combinations of random letters and numbers until it happens to get lucky and matches the captcha image?

It really is amazing when you think about it, as I said, can you imagine where we could be if they put that same effort into useful societal technological gains?