| [Firebase Founder] Hi Robin, You’re right, some folks don’t fully setup their security rules. We remind our developers to do this, but can -- and clearly need -- to do more. Your suggestion about requiring security rules is a good one. We’ll be going through our customers and providing more personalized feedback on their security rules in the coming days. Also, we are working on additional tutorials and examples to teach our devs how to use our security rules in an interactive way. Thanks for pointing out some of the areas we can improve our examples. They’re intended to illustrate design patterns, not be robust production apps. Again, we can do better here, and the code we use as an example should be bullet proof. Like any application, Firebase-powered apps are only as secure as the developers make them. If you do not control access with security rules, your app could be vulnerable. XSS attacks can affect Firebase apps like any other application. Finally, we would have really liked you to provide responsible disclosure on the specific Firebases you found issue with and given us enough time to speak with those customers before taking this public. We’ll reach out to you via email now. |
The good news: you can trivially address this by adding one page in your CMS, calling it "Security", writing a few sentences of copy, and adding a) an email address which is monitored, b) a promise to write back, and c) (optional) a PGP key.
Some good examples:
http://www.twilio.com/docs/security/disclosure
http://37signals.com/security-response
http://technet.microsoft.com/en-us/security/ff852094.aspx
P.S. This advice is broadly applicable to everyone here who owns or helps to manage a software company.