| > logging changes "Please look at this commit so you know how you can hack us", sounds certainly like a much better idea ;-) > Security history at Wordpress When was there a single very grave vulnerability within the core of Wordpress? Mostly plugins are the root of all evil there.
(besides the nasty XSS one in Jetpack, which was caused by a static HTML file) > - From what I've heard, security fixes are provided to enterprise customers first, so if you're lucky your adversary is one of them and knows about vulnerabilities way ahead of you. This is wrong. Until now there has not been a single moment where customers did receive patches in advance. The only difference being is that they see the advisories earlier, but at this moment patches are already available for all. > maximum bug bounty is $500 For the record we receiced until now 340 reports by over 150 individuals and until now only 1 vulnerability within the server has been pointed out.
(Full Path Disclosure of the ownCloud root folder such as "/var/www") > If you need project management stuff and care about privacy, maybe look at https://protonet.info/ or something along those lines What makes you thinl they are more secure? Note that most of the vulnerabilities within ownCloud are found internally: https://statuscode.ch/2015/09/ownCloud-security-development-... We could easily never have published any information as do a lot of other projects and companies. |
I think that'd be better than a deceptive commit message, yes. ;-) IMO, security-related changes should clearly be marked as such - if you don't want to have them publicly, you can keep it on a private branch for the time being.
> When was there a single very grave vulnerability within the core of Wordpress? Mostly plugins are the root of all evil there.
The same (plugins) probably applies to ownCloud, still that doesn't make it better. I personally think that embracing PHP's low entry barrier [1] is the wrong approach and I'd rather see a security-driven design.
> This is wrong. Until now there has not been a single moment where customers did receive patches in advance. The only difference being is that they see the advisories earlier, but at this moment patches are already available for all.
Thanks for the clarification - very sorry for the FUD. I got this info at a conference from one of your enterprise customers not-so-technical management guys, who is apparently misinformed.
> For the record we receiced until now 340 reports by over 150 individuals and until now only 1 vulnerability within the server has been pointed out. (Full Path Disclosure of the ownCloud root folder such as "/var/www")
My argument was that the market price of vulnerability is more or less a metric for security strength [2], and 500 USD doesn't seem to be much. If we presume that the value of a critical ownCloud exploit exceeds 500 USD, your bounty program provides very little incentive to search for or report critical vulnerabilities and you'd only get low-quality reports (which seems to be the case).
> What makes you thinl they are more secure?
I think that ownCloud has a big problem with automated vulnerability scanning and the security properties of managed appliances are generally superior. I unfortunately can't edit my original post anymore, but I should have added that running ownCloud behind a VPN is a very good idea as well.
[1] https://owncloud.org/blog/owncloud-and-php/ [2] https://events.ccc.de/congress/2005/fahrplan/attachments/542...