Full Disclosure and Open Source

Recently Amichai Shulman from Imperva found some security issues with DWR, and while I'm glad that we've had a chance to make DWR more secure, some of Imperva's press releases need comment.

The Q and A claims that the DWR developers don't know the different between client-side and server-side security. I can assure you this is utter nonsense. He fails to take into account the fact that special knowledge of the called code is required before the flaw can be exploited.

However, most disappointing is a perception that affects all open source developers.

Amichai thinks the normal rules of Full Disclosure do not apply to open source software because there is no-one to report problems to. He says:

"In the case of open source platforms, like AJAX, formal vulnerability disclosure protocols do not exist."

On the contrary: anyone that finds a hole in any open source software will find that in general it is easier to get the message to the people that need to know than with other software.

Take DWR for example: The researchers options were:

  • Send mail to the DWR mailing list: [users at dwr.dev.java.net]. You don't have to subscribe. It's not hard.
  • Even better: Send mail to the DWR security mailing list. It's setup just for this type of thing: [dwr-security at googlegroups.com]. Again, no subscription necessary.
  • Send mail to the Getahead Support email address. It's listed on this site: [support at getahead.org]
  • Send mail directly to me, my address isn't hard to find from the mailing list, but the above are all better options.

Do you know how to send email to the lead developer of, say Flash, or Windows, or Acrobat?

So why didn't he want to come to us first? From the original article:

"Imperva's SecureSphere Web Application Firewall can be used to accelerate and reduce the cost of risk mitigation – especially for existing Web applications."

I'm disappointed that Imperva took this opportunity to disregard the security of DWR users by publishing before a fix was available. Surely a few days was not too long to wait? Does Imperva care more about hype than security?

I'm very glad for Feedster's blog search which alerted me to the advisory, and I expect DWR users are glad we're fast at fixing issues.

I'm interested in your comments. Has Imperva gone too far? Should open source software really be treated more harshly than proprietary software? Is there anything else DWR should be doing to improve our security?

Amichai: I'm in the Bay Area next week. Do you want to meet-up to discuss how to disclose problems to open source developers?


Comments have been turned off on old posts