Tuesday, January 09, 2007

Handling Security


aki va un tocho para kien lo kiera leer! XDD es sobre la vulnerabilidad ke opera arregló pero ke no avisó y tol lio, interesante

Recently, some of our users have asked why we chose to disclose a potential security issue only after the release of Opera 9.10. Let me try to give a short overview on how security issues get reported and disclosed - and not only at Opera, but in most applications: it might help some people to understand how this works.

When somebody discovers a vulnerability in an application, they should report it to the vendor. It can happen that the reporters give a deadline by when they want to make full disclosure of the vulnerability, but usually the reporter and the vendor work out a disclosure date that makes both happy. If the exploit is not clear, both work on details and a PoC (proof of concept). When a fix has been made and a public release is available, both the reporter and the vendor publish an advisory. The vendor usually credits the reporter in the advisory for the discovery of the vulnerability.

It is important that both parties do respect each other: if a fix is included also in development snapshot builds that reach a public audience (like the weekly builds on this blog), fixes for the vulnerability are not announced: this is a form of respect both for the reporter and for all the users that only upgrade to stable releases. Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable. Serious reporters do not announce vulnerabilities before vendors have a fix in public builds - and vendors do not announce vulnerabilities before the reporters makes their discovery public, in order to properly credit them.

Sometimes it even happens that we do not mention issues in our changelogs even though we have fixed it - because we are waiting for other vendors to fix the same issue in their products.


0 comentarios: