On Thursday 01 December 2011, Daniel-Constantin Mierla wrote:
[..]
Anyone objecting to implementing a process for handling security incidents?
I have no objection in this regard, any contribution/managing process that will make usage of the project easier/more attractive for various people is welcome. The question will be who will take the work (e.g., reviewing, categorization, announcements to devels and community, ...). Personally, I try not to make a difference between bugs, but just try to solve asap, with priority on how common use case is the situation rising the bug.
Another question is categorizing 'security bugs' - in my understanding I consider such bugs when one can gain access to server or steal/compromise data from/on the server. Chasing situations are not in this category (IMO).
Hi Daniel,
IMHO also certain denial of service attacks belongs to the "security bug" class. If somebody can easily bring my service down because of e.g. a crash during the processing of misformated (network) input then the availability of the service can be easily compromised.
Best regards,
Henning