Reporting security vulnerability
mbrush at codebrainz.ca
Fri Jun 7 02:55:09 CEST 2013
On 13-06-06 04:38 PM, Jeroen van Aart wrote:
> On 06/06/2013 02:37 PM, Justin R. Andrusk wrote:
>> I do wonder if this would get the same level of classification that a
>> like security vulnerability in Ubuntu would get. Process should be the
>> same. Report it as a bug without giving the details in the bug report.
>> You may even want to submit a patch yourself if you can.
> It's a bad idea to hide security vulnerabilities.
> Security through obscurity is worse than no security at all.
> "Security through obscurity has never achieved engineering acceptance as
> an approach to securing a system, as it contradicts the principle of
> "keeping it simple". The United States National Institute of Standards
> and Technology (NIST) specifically recommends against security through
> obscurity in more than one document. Quoting from one, "System security
> should not depend on the secrecy of the implementation or its
>  http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
That term refers more to the underlying mechanisms and implementations
of the software/system being secured through obscurity I think (ex.
closed/obfuscated source code, unpublished proprietary protocols, etc),
which is more or less impossible in an open source project like XFCE.
Rather, in this case it seems to be more about preventing this:
And loosely following some policy like this (linked from bottom of
To give the developers a chance to get it fixed before it harms many
real users. The fix will ultimately be in the commit log (and bug
tracker), not obfuscated or hidden.
More information about the Xfce4-dev