Where to link credit for finding/fixing issues

greggles's picture

Currently when someone reports an issue to the team, or fixes an issue, or coordinates an issue we link to their name in the security advisory.

There are two problems with this:

  • Sometimes people report issues who do not have accounts on drupal.org
  • Some researchers or involved parties (team members, developer) might prefer that we link to their site

I'm a bit torn on the proper way to handle this.

I looked around at what other organizations do:

  • Mozilla sample announcement includes no mention of humans. Mozilla is built by robots, apparently. They do link to bugs in bugzilla, but you can't access them as anonymous.
  • Wordpress sample does link to the researcher's company (not sure if they let the researcher choose) - however wordpress.org doesn't seem to have profile pages (the author of that article, for example, also links to his personal site rather than a wp.org profile)
  • Joomla sample lists people actively patching and active on the security teams at the time of release, but not the researcher. Digging into the security announcement it lists the researcher but does not link to them. (more examples)

Given all that...what should we do?

Comments

Just looked at OSVDB for

proindustries's picture

Just looked at OSVDB for examples, they reference both individual and orgs. See http://osvdb.org/show/osvdb/74043 as an example. CERT says they give credit to reporter, unless reporter requests otherwise.

OSVDB links to individual and

greggles's picture

OSVDB links to individual and orgs, but they link those names to a profile page on osvdb.org

Looking for CERT led me to:

  • Google blog post that doesn't mention reporter and doesn't include links to their sites. It does link to the bug report which is a 403 for me.
  • CERT (and another) - List the people involved in finding the bug but don't link those names to anything.
  • ISC doesn't name the researcher.

It seems a lot of organizations name the researcher and some name their organization. Linking to their personal or organizational sites is not done nearly as often.

Advisory links

Justin_KleinKeane's picture

I'd also note that independently published advisories are generally linked to by aggregation services (such as Secunia, NIST NVD, OSVDB, Security Reason, CNET, Security Focus, etc.). This incentivizes researchers to release advisories independently rather than coordinate with Drupal security (ref most of the vulns announced by MustLive (ex: http://seclists.org/fulldisclosure/2011/Jun/529)).

Secunia names but doesn't

greggles's picture
  • Secunia names but doesn't link.

  • The OSVDB example links to your site as a reference, but oddly enough didn't actually credit you contrary to what they normally do (see my comment above - seems odd?)

  • Security Reason names but doesn't link
  • CNET names and links, it seems like they might just copy/paste from elsewhere
  • SecurityFocus does name you and links to Full Disclosure which can include just about anything

For our purposes I think the most relevant comparison is what other "vendors" do - research databases like NIST seem to be released after the fact and link to all relevant sources of information. I use quotes on "vendor" since the Drupal project isn't a single vendor in a traditional sense even if it fills this role in this case.

I just re-read all of these.

greggles's picture

I just re-read all of these. It seems like most software vendors either don't link to other sites or don't even mention the researcher in the post. Our policy of naming researchers who follow responsible disclosure and linking to their profile page on drupal.org is actually more rewarding (in a non-monetary way, of course) than most of the organizations reviewed here.

Many of the organizations that list vulnerabilities will link to multiple reports including the researcher, which makes sense because their goal is to provide a complete picture of the issue and not necessarily just be a resource for getting out the news about security updates. It would be interesting to do usability research with Drupal site builders of all skill levels to see how they interact with our advisories.

For now I think we should stick with our policy of naming and linking to drupal.org profile pages. The profile page does allow customization including linking to other sites so people who want to link to specific articles can do that from their profile page.

Re: Usability research - security advisories

ijf8090's picture

We could run a poll on the Drupal LinkedIn groups, which has 18,000 users and is pretty active e.g. How do you use Drupal Security Advisories
1. Immediately implement them
2. Selectively implement them after careful review
3. Ignore them
4. What are Security Advisories

Thoughts?

Those are interesting

greggles's picture

Those are interesting questions. Here's what I had in mind to cover in the interview:

  1. Ask: How do you find out about security updates to Drupal? Potential answers: update module, emails, twitter, rss feed
  2. Show them drupal.org/security and sub-tabs. Ask: Do you read the reports on these pages? If so, when do you read them? Answers: Yes/no, sometimes. Right as they come out, browse after the fact, browse when updating site.
  3. Ask: Please read some reports and narrate the experience. Answer: Ok, I see this is a report about X, the problem seems to be Y, I don't know what Y is but I could read the documentation if I wanted to I guess. I understand this area. I don't understand this area. Etc.
  4. Ask: What information did you expect to find that you didn't find in that SA? Answer: not sure?
  5. Present a set of adjectives. Ask: Choose from this set of adjectives to describe how you feel about Drupal security notification process?
  6. Ask: How do you use Drupal Security Advisories (with ifj8090's list])? Answer:...one of those.

Question 3 is where we really get to the meet of this question, but I think the total process would be interesting.