Reporting security vulnerability

[Matthew Brush]

On 13-06-06 04:38 PM, Jeroen van Aart wrote:
> On 06/06/2013 02:37 PM, Justin R. Andrusk wrote:
>> I do wonder if this would get the same level of classification that a
>> like security vulnerability in Ubuntu would get. Process should be the
>> same. Report it as a bug without giving the details in the bug report.
>> You may even want to submit a patch yourself if you can.
>
> It's a bad idea to hide security vulnerabilities.
> Security through obscurity is worse than no security at all.
>
> http://en.wikipedia.org/wiki/Security_through_obscurity
>
> "Security through obscurity has never achieved engineering acceptance as
> an approach to securing a system, as it contradicts the principle of
> "keeping it simple". The United States National Institute of Standards
> and Technology (NIST) specifically recommends against security through
> obscurity in more than one document. Quoting from one, "System security
> should not depend on the secrecy of the implementation or its
> components."[1]"
>
> [1] http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
>

That term refers more to the underlying mechanisms and implementations 
of the software/system being secured through obscurity I think (ex. 
closed/obfuscated source code, unpublished proprietary protocols, etc), 
which is more or less impossible in an open source project like XFCE. 
Rather, in this case it seems to be more about preventing this:

https://en.wikipedia.org/wiki/Zero-day_attack

And loosely following some policy like this (linked from bottom of 
previous):

https://en.wikipedia.org/wiki/RFPolicy

To give the developers a chance to get it fixed before it harms many 
real users. The fix will ultimately be in the commit log (and bug 
tracker), not obfuscated or hidden.

My 2¢

Cheers,
Matthew Brush