[VIM] Joomla! developer: Being "The Vendor" for Security Issues

security curmudgeon jericho at attrition.org
Sat Feb 27 08:48:59 UTC 2010


late response..

On Sun, 6 Sep 2009, Steven M. Christey wrote:

: This is basically a commentary on typical VDB practices shared by most 
: of us.  The Joomla!  folks have a couple solid points, especially on 
: proper distinction of third-party extensions from core, and their desire 
: for accuracy.
: 
: http://community.joomla.org/blogs/community/1029-on-being-qthe-vendorq.html
: 
: I'm thinking on a constructive response.  The apparent practice of 
: removing vulnerable extensions from their directory is probably 
: adversely affecting all of us - certainly CVE, who tries to verify that 
: an extension is not just site-specific before we create an entry.

I noticed this kind of issue pretty early on and directed how OSVDB 
handles it. Since our data set isn't 50% complete, vendor information is 
not added for many entries. As a result, the only real and consistant 
distinction we can make is in the title.

This goes for Joomla! and any other software with third-party plugins.

Vendor:
Joomla! ...

Third-party:
X Plugin for Joomla! ..

It's subtle but the best we can do for now.


More information about the VIM mailing list