Discussing potential security vulnerabilities

Corey_Wright · February 12, 2008, 4:07pm

what is the protocol for discussing (potential) security vulnerabilities?

again, i said “potential” (so that everybody doesn’t get all out-of-whack over this).

some projects are hesitant to discuss such things in public forums (mailing lists, irc, message boards, etc), and rightfully so, but i rather discuss it with someone (familiar with the openfire codebase, unlike myself) first before sounding any potential false alarms.

i did a google search of “openfire security” and didn’t find anything relevant to project protocol on the first two pages of hits. i searched the issue tracker for “security”, specifically in openfire, but only saw a few that appeared to either be well known (recent jetty vulnerability) or non-disclosed (no details).

thanks for openfire!

Daniel_Henninger · February 12, 2008, 5:34pm

You can ping me directly if you’d like to.

Corey_Wright · February 12, 2008, 8:03pm

how exactly do you define “ping”?

email, im, forum private message?

my apologies; i sometimes need things spelled out for me.

i emailed you (which i hope is acceptable), but for future reference (mine and anybody else who searches for this), which did you mean?

Daniel_Henninger · February 13, 2008, 3:26pm

I suppose I meant, any of those, whichever you preferred. (I typically refer to ping me to mean “contact me”)

So email worked just fine! May not be able to look at it today though, depends on how things play out!