[VIM] Joomla! developer: Being "The Vendor" for Security Issues
security curmudgeon
jericho at attrition.org
Sat Feb 27 08:48:59 UTC 2010
late response..
On Sun, 6 Sep 2009, Steven M. Christey wrote:
: This is basically a commentary on typical VDB practices shared by most
: of us. The Joomla! folks have a couple solid points, especially on
: proper distinction of third-party extensions from core, and their desire
: for accuracy.
:
: http://community.joomla.org/blogs/community/1029-on-being-qthe-vendorq.html
:
: I'm thinking on a constructive response. The apparent practice of
: removing vulnerable extensions from their directory is probably
: adversely affecting all of us - certainly CVE, who tries to verify that
: an extension is not just site-specific before we create an entry.
I noticed this kind of issue pretty early on and directed how OSVDB
handles it. Since our data set isn't 50% complete, vendor information is
not added for many entries. As a result, the only real and consistant
distinction we can make is in the title.
This goes for Joomla! and any other software with third-party plugins.
Vendor:
Joomla! ...
Third-party:
X Plugin for Joomla! ..
It's subtle but the best we can do for now.
More information about the VIM
mailing list