On Aug 23, 2007, at 7:14 PM, Jason Fesler wrote:
mind that we are 0.1-rc1 and be gentle! ;))
IMO: Be .. *polite*. But, real problems if identified need a fixin. The fact that RC is a 0.1 and not a 1.0 means this is a great time
to have it come up, before there is too much of an install base for
RC.Being that there's always two sides to the argument on disclosure,
I just want to say thank you Jordan, for giving a chance to do
things politely. :-)
Glad to be of service! I'm a big believer and user of open-source,
so this only makes sense to me. I figure everybody wins -- you guys
get a fairly decent security audit (though certainly not
comprehensive -- being that I'm really focusing on testing the
products and not RC itself) and I've got a great test application to
throw scanners against and watch how they handle (or don't as is
mostly the case so far) AJAX apps.
I've got decent ideas on how to fix most of the vulns already, so
hopefully I won't make much extra work for you guys, but we can still
really tighten the security.
BTW -- I use RoundCube myself as a backup mail client, so I've got a
vested interest as well. ;-)
-- Jordan Wiens Contributing Technology Editor, Security Network Computing/InformationWeek 352.871.5109 (m) jordanwiens (im)
List info: http://lists.roundcube.net/dev/