Posted by greggles on December 1, 2011 at 4:28pm
Currently when someone reports an issue to the team, or fixes an issue, or coordinates an issue we link to their name in the security advisory.
There are two problems with this:
- Sometimes people report issues who do not have accounts on drupal.org
- Some researchers or involved parties (team members, developer) might prefer that we link to their site
I'm a bit torn on the proper way to handle this.
I looked around at what other organizations do:
- Mozilla sample announcement includes no mention of humans. Mozilla is built by robots, apparently. They do link to bugs in bugzilla, but you can't access them as anonymous.
- Wordpress sample does link to the researcher's company (not sure if they let the researcher choose) - however wordpress.org doesn't seem to have profile pages (the author of that article, for example, also links to his personal site rather than a wp.org profile)
- Joomla sample lists people actively patching and active on the security teams at the time of release, but not the researcher. Digging into the security announcement it lists the researcher but does not link to them. (more examples)
Given all that...what should we do?
Comments
Just looked at OSVDB for
Just looked at OSVDB for examples, they reference both individual and orgs. See http://osvdb.org/show/osvdb/74043 as an example. CERT says they give credit to reporter, unless reporter requests otherwise.
Protected Industries
OSVDB links to individual and
OSVDB links to individual and orgs, but they link those names to a profile page on osvdb.org
Looking for CERT led me to:
It seems a lot of organizations name the researcher and some name their organization. Linking to their personal or organizational sites is not done nearly as often.
knaddison blog | Morris Animal Foundation
Advisory links
I'd also note that independently published advisories are generally linked to by aggregation services (such as Secunia, NIST NVD, OSVDB, Security Reason, CNET, Security Focus, etc.). This incentivizes researchers to release advisories independently rather than coordinate with Drupal security (ref most of the vulns announced by MustLive (ex: http://seclists.org/fulldisclosure/2011/Jun/529)).
http://www.MadIrish.net
Secunia names but doesn't
Secunia names but doesn't link.
The OSVDB example links to your site as a reference, but oddly enough didn't actually credit you contrary to what they normally do (see my comment above - seems odd?)
For our purposes I think the most relevant comparison is what other "vendors" do - research databases like NIST seem to be released after the fact and link to all relevant sources of information. I use quotes on "vendor" since the Drupal project isn't a single vendor in a traditional sense even if it fills this role in this case.
knaddison blog | Morris Animal Foundation
I just re-read all of these.
I just re-read all of these. It seems like most software vendors either don't link to other sites or don't even mention the researcher in the post. Our policy of naming researchers who follow responsible disclosure and linking to their profile page on drupal.org is actually more rewarding (in a non-monetary way, of course) than most of the organizations reviewed here.
Many of the organizations that list vulnerabilities will link to multiple reports including the researcher, which makes sense because their goal is to provide a complete picture of the issue and not necessarily just be a resource for getting out the news about security updates. It would be interesting to do usability research with Drupal site builders of all skill levels to see how they interact with our advisories.
For now I think we should stick with our policy of naming and linking to drupal.org profile pages. The profile page does allow customization including linking to other sites so people who want to link to specific articles can do that from their profile page.
knaddison blog | Morris Animal Foundation
Re: Usability research - security advisories
We could run a poll on the Drupal LinkedIn groups, which has 18,000 users and is pretty active e.g. How do you use Drupal Security Advisories
1. Immediately implement them
2. Selectively implement them after careful review
3. Ignore them
4. What are Security Advisories
Thoughts?
Those are interesting
Those are interesting questions. Here's what I had in mind to cover in the interview:
Question 3 is where we really get to the meet of this question, but I think the total process would be interesting.
knaddison blog | Morris Animal Foundation