2007-05-01 12:28:36

Month of PHP Bugs: Please refrain from reporting them!

PHP is buggy

The PHP security consortium recently held the «Month of PHP Bugs». During this phase, everyone was called to submit bug reports to the PHP team.

However, Ed Finkler from the PHP security team had officially announced earlier that there were no security bugs in PHP. Of course, the announcement was padded up with the typical anti-Esser propaganda (See also «Bye Bye, Esser» on «PHP is broken»).

However, Esser himself had previously written notices of about 20 unfixed PHP vulnerabilities to Finkler. When looking at it from this angle, it appears that the entire statement itself was a big lie.

Thus, Esser submitted 45 serious PHP security bugs to the PHP month of security bugs. He got toasted immediately for disrespecting the rules of «responsible disclosure». However, the majority of these bugs had already been known in advance by the PHP security consortium, rendering the claim somewhat absurd.

Responsible disclosure is only possible if the maintainer of the affected product also keeps a responsible time to reaction. This is why it is impossible to play the game of responsible disclosure with a lot of bigger companies, namely Microsoft, Apple, Cisco Systems and Oracle. (Actually, cooperation with Cisco Systems does work ok as long as you're a Cisco customer. However, lots of people who discover security problem in Cisco IOS actually aren't.)

And all that remains is this truthful logo...

Read the full story on http://blog.php-security.org/[...]-PHP-Bugs.html.


Posted by Tonnerre Lombard | Permanent link | File under: programming, news
/\