[pmwiki-users] suggestion for security notifications

Patrick R. Michaud pmichaud at pobox.com
Tue Sep 5 10:00:37 CDT 2006

On Tue, Sep 05, 2006 at 03:39:12PM +0200, Simone Rota wrote:
> On 09/05/06 14:53 Neil Herber wrote:
> > However, it does no one other than the crackers any good to post 
> > vulnerabilities here before Patrick has had a chance to even look at 
> > the threat. He generally takes very little time to assess threats and 
> > post a new version of PmWiki or a workaround.
> > 
> > So please, if you have found a vulnerability of any type, send a 
> > *private* email to Patrick first and discuss it with him.
> Makes sense, even if here the issue was already known
> and published, and, more important, exploits are circulating.
> In a case like this I see no real advantage in keeping the
> info off-list; in any case I'll be happy to adhere to
> whatever the suggested policy is.

This is indeed a tricky case.  Here's my take on things...

If someone discovers a possible vulnerability in PmWiki that
isn't already publicly known, I'd greatly prefer to be 
contacted off-list, as Neil suggests.  Sometimes it's not 
really a vulnerability (in case we don't want to needlessly 
alarm others), and we can disclose the problem *after* the 
fix is available.

However, in a case like this one where the vulnerability has 
already been publicly reported from a reputable site (isc.org) 
and there are reports of active exploits "in the wild",
I don't have any issues with it being disclosed and discussed
on this mailing list.  Once the news has hit a security site, 
it's effectively "public knowledge" (at least to the bad guys), 
and I'd rather make sure that PmWiki users be made aware of 
vulnerabilities and fixes as quickly as possible.

Still, if there's any doubt, it's always safe to contact
me off-list, first.  And I will note that several people
did contact me off-list about this particular vulnerability, 
for which I'm truly grateful.

At any rate, everything ends up being known in the end, so
little harm done in the long run no matter what happens.



More information about the pmwiki-users mailing list