Ben alerted me to this comment on Slashdot that mentions GeSHi. The article is about vulnerability numerology in software, and the comment slams Secunia for several dodgy practices - like trawling old changelogs and bug reports in order to find more vulnerabilities to report.
The comment is absolutely correct. In the particular example given, after consultation with the good crew of WikkaWiki, I put a workaround in GeSHi to fix a security vulnerability in the htmlspecialchars function of PHP - and nearly got a security advisory filed against GeSHi itself! To quote:
> we noticed the following entry in the changelog for GeSHi 126.96.36.199 and
> are about to issue an advisory based on this information.
> "Committed security fix for htmlspecialchars vulnerability. Also makes
> supporting multiple languages a lot easier"
> To serve our mutual customers best we would appreciate to receive your
> comments on this issue before we publish our advisory.
As you can see from the quote, they were going to publish a vulnerability report if they did not hear from me. Well they heard alright - I sent them back an angry e-mail to the effect that they were useless retards, and the report was never published. It's very annoying to see that if they had not have heard from me, they were going to publish anyway. They're acting as judge, jury and executioner when they have no right to.
I've also encountered the "bottom-fishing" as well, with Mahara. A fix for security being too tight on something resulted in an automated e-mail asking for more details so they could file a report.
I want to echo the sentiments of the comment here. If you run an OSS project and you receive e-mail from Secunia asking about security problems that are not your fault, complain! They do seem to at least not contest your protests or publish a vulnerability report if you do, which just goes to show they're in it for volume, not quality. If the problem is a real one you could put them straight so they can file an accurate report, but why not try experiment and tell them it's rubbish anyway. They don't deserve to have a report if they can't be bothered analysing the problem for themselves.
I think you'll agree, if their default behaviour was to do nothing if they didn't receive a reply, they wouldn't be doing it. They wouldn't get any vulnerability reports this way.
One final note. In this post I am only criticising the attitudes and methods of Secunia. I am not saying anything about good or bad security practice, other than that Secunia are performing irresponsible disclosure.
Like this post? Subscribe to my RSS feed and follow me on twitter to hear about new posts early.
Want to share this post?