top | item 8898222

(no title)

misterdai | 11 years ago

I can understand both points of view with the disclosure of the security issue. A while ago I discovered some security issues with Adobe ColdFusion and Railo. I wish I had put a deadline on disclosing the Adobe ColdFusion issues, as they dragged their feet so much (with admitting it was an issue and progressing with a fix) that at points I felt like throwing in the towel. Regrettably, instead of lighting a fire under their ass, I waited. At the time I was working on an open source side project, which would have pointed fingers towards where the issue was for any curious people.

I ended up halting development of my project while I waited for Adobe, to the point where I no longer wanted to work on it. I had stopped for too long and I didn't want to dig anything else up. Having no legal type knowledge myself or knowing anyone who could offer such advice, I was also too concerned to reveal anything for fear or any legal reprise.

So, the threat of security disclosure is warranted to pressure others into putting in the effort. However, the impact of the disclosure should be considered. If it will seriously affect others (who aren't responsible for the fix) and put them at risk, there should be the flexibility there to work with them on a deadline.

discuss

sjwright|11 years ago

Did Railo fix the bug?

misterdai|11 years ago

They fixed one of the issues I reported. I don't believe I had official confirmation of the other issue I had with Railo being resolved. I probably should try it out again on their latest version, but I don't use Railo and haven't found myself with much fondness for ColdFusion either.

But I should probably pull my thumb out and check ;)