[sldev] Viewer security vulnerability disclosure group

[Boy Lane]

> so... this is just a long winded discussion to support the following
> statement:
>
> "telling everybody about a security vulnerability before remediation is
> available is bad."

And this is simply wrong. Not only wrong but unacceptable.

We don't need to go through a long list of historical events or personal experiences. Let's just keep it down to the facts.

LL decided to put the SecondLife code into open source, available for everyone everywhere. As such any approach of security through obscurity is doomed to fail. By putting SL into open source, LL took on a huge responsibility as active developer and as contributor to the open source community. Thanks to that SL code is now in one way or the other used by millions of users in hundreds or thousands of grids worldwide.

I understand that LL has no interest in supporting the competition like the opensim grids, and as you wrote LL has no interest to expose themselves to possible (commercial) risk. But asI just said, you made the decision earlier to be part of the opensource development. And you benefit largely from it. It is a two way road.

I'd expect LL to provide regular security bulletins in an organized way, accessible to all users who would be interested in them. That does not mean a detailed piece of code, but a clear description of the vulnerability and the risk. A good distribution list reaching dedicated people would indeed be the SLDev mailing list. So that developers can decide what to do, perhaps help to fix it in faster way than LL would be able to or is unwilling to do, or if this is not possible to provide recommendations such as not to use a particular version of the viewer.

I remember that last security disaster in the 1.20.17 version. LL decided to work behind closed doors. Even though a fix was internally available it was not provided in source / patch form to 3rd party developers, leaving 10's if not 100's of thousand users vulnerable. It was only made available several days later through obscure channels to a handful of developers who asked for. And it was half hearted as LL decided not to backport the security patches to the 1.19 pre-windlight viewers but left that task completely to the developers of alternative viewers. The only way to mitigate the risk was to tell people not to use in our case the Cool Viewer as the vulnerability and risks were unknown. Which led to a worse development by many users falling back to older, unpatched versions and high likely many still use them today. 

So, to come back to the beginning. NOT to provide security information before a "remedation is available" is bad. It is not only bad, but if LL knows about a security threat and keeps it intentionally secret, I would question if this is in the interest and in good faith not only for LL and SecondLife users but for the whole opensource community LL decided to be part of. In the past LL also left security critical work completely to 3rd party developers as just explained. I guess that will be covered under "Quality Assurance".

Under fair disclosure I would understand an early warning mechanism, not limited to only a handful of people willing to sign an NDA with LL as the code is not in LL's but in opensource hands. This early warning mechanism should distribute information about ALL security vulnerabilities found and potential risk involved. And it should work in both ways for the benefit of all.

Boy
http://my.opera.com/boylane


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20081226/c6d05009/attachment.htm