--
You received this message because you are subscribed to the Google Groups "SilverStripe Core Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to silverstripe-d...@googlegroups.com.
To post to this group, send email to silverst...@googlegroups.com.
Visit this group at http://groups.google.com/group/silverstripe-dev.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups "SilverStripe Core Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to silverstripe-d...@googlegroups.com.
To post to this group, send email to silverst...@googlegroups.com.
Visit this group at http://groups.google.com/group/silverstripe-dev.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups "SilverStripe Core Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to silverstripe-d...@googlegroups.com.
To post to this group, send email to silverst...@googlegroups.com.
Visit this group at http://groups.google.com/group/silverstripe-dev.
For more options, visit https://groups.google.com/groups/opt_out.
I agree with several of the comments here, and the "vouch for" approach would probably be the wisest to filter out potential script kiddies etc.
Great idea, I'm totally for it.
Regards,
Ralph
--
--
--
+1. Please add us too (support at innoweb dot com dot au). Thanks.
Just to make sure - is that list already in effect? And if so, how can one tell one is on it? :)
Thanks, Martine
We’re thinking of making it invite only based on references from other list members, combined with a demonstrated need for this level of information (e.g. a large website with sensitive customer data).
Hello everybody,SilverStripe is being used in many environments where security is crucial,so we’re looking for ways to enable fast and solid responses to any known issues.In addition to our existing security release process, we’d like to introduce a pre-disclosure mailing list.Members in this list will receive a security pre-announcement as soon as it has been sufficiently researched,alongside a timeline for the upcoming release. This will happen a few days beforethe announcement goes public alongside new release, and most likely before a patch has been developed.Since we’ll distribute sensitive info on unpatched vulnerabilities in this list,the selection criteria for joining naturally has to be strict.
We’re thinking of making it invite only based on references from other list members,combined with a demonstrated need for this level of information (e.g. a large website with sensitive customer data).
--
You received this message because you are subscribed to a topic in the Google Groups "SilverStripe Core Development" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/silverstripe-dev/0mjNBaSP8vE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to silverstripe-d...@googlegroups.com.
Room9’s response to the suggestion “...that anything classified as "low" or "moderate" would not receive a pre-announce...”.
(1) In principle, we always prefer to be aware of all security related issues, not just a subset.
(2) As you are using SilverStripe’s definition of degree’s of severity we have looked at it again and we are concerned that SilverStripe's point of view is quite different to Room9's. Having different points of view is perfectly normal but the outcome is that we will have different priorities regarding the severity of issues.
(3) Seeing (2) is likely to be true for most of us involved in this group, Room9 would feel more comfortable with regards to the assessment of the severity of vulnerabilities if SilverStripe were to use an industry standard vulnerability scoring system such as the Common Vulnerability Scoring System (CVSS) http://www.first.org/cvss/cvss-guide.pdf and its Common Vulnerability Scoring System Version 2 Calculator http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 . These are the systems and criteria used to score CVEs, are free to use, and require no affiliation to its governing bodies.
(4) If the use of CVSS were to be incorporated, then it would take very little additional effort for SilverStripe to be able to release CVEs. That would put SilverStripe on a higher level for maturity and transparency and increase its appeal for large and enterprise accounts.
Conclussions:
A) We disagree with the suggestion of only pre-announcing what is considered “low” or “moderate” according to SilverStripe’s severity criteria.
B) We respectfully suggest that CVSS is adopted for the scoring of vulnerabilities.
Kind regards,
Carlos Cordero
Room9 Limited
--
You received this message because you are subscribed to a topic in the Google Groups "SilverStripe Core Development" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/silverstripe-dev/0mjNBaSP8vE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to silverstripe-d...@googlegroups.com.