Thoughts on how to work with security issues
June 22, 2016, 11:16:41 am
emanuele
Global Moderator
Yeah, security... Once in a while it's necessary to talk about that as well. I have to admit our current "model" is a little lacking in the area, even though no severe security issues (well, depends on the definition) have been reported privately, all of them were either discovered internally, reported at SMF or disclosed in some way. But it's always possible one surfaces and kicks us in the back. In out current setup, any vulnerability discovered or reported is discussed in a non-publicly accessible board, and this is mostly fine. But still I see at least two weaknesses: 1) when it's time to commit the changes and test the release, because these two steps are possible only in a public environment, 2) our parent project and all the siblings that may discuss their own issues internally and release without exchange of information before the disclosure. The point 1 means any hacker following our repo can have hints of how current ElkArte forums are vulnerable. The point 2 means that there is a lack of communication between the different projects that usually results in one of the projects release a security update and potentially exposing all the people using projects with related code to the risk of being attacked. The few times I discovered a security vulnerability in ElkArte I seem to remember I reported it to both SMF and Wedge, anyway, I feel a bit of standardization and collaboration between projects would be indeed nice. Of course this is sub-optimal. So, what can we do to improve things? I can think of two ideas: 1) a "security" list, with access granted to a restricted number of people to discuss security related reports, 2) a private repository where develop code involved in security issues. The first point is rather easy to have, have the various projects share reports to that list would be an advantage for everybody. The second is somehow easy as well, a BitBucket repository (BTW I think there was already one) offers unlimited private repositories. It may be even an idea reach out Github guys, explain the situation and see if they can spare one single private repository for the project Then there would be just to use the tools. What do you think?
Re: Thoughts on how to work with security issues
Reply #2 – June 23, 2016, 03:00:58 pm
I don't think a private repo is necessary. At some point the fix will be released and at that point everyone will know. If anything would need to change it would just be the speed of the release.
Re: Thoughts on how to work with security issues
Reply #4 – June 24, 2016, 02:15:40 pm
I think you're over thinking it. It's not an issue now and has never been an issue as far as I know.