The following policy may not be the best choice for an open-source product:
"... if the security vulnerability is sent in through bugs.mysql.com, we may mark the bug private, in effect making it invisible outside the members of the Security Team plus a few other developers at MySQL AB."
An example is CVE-2007-5925. The 9-Nov-2007
NIST Summary and many other reports all link to the MySQL bug,
For example:
http://xforce.iss.net/xforce/xfdb/38284 ,
http://secunia.com/advisories/27568 ,
http://www.securityfocus.com/bid/26353/references, etc.
Unfortunately these links all now produce the message:
"You do not have access to bug #32125."
MySQL users who were not quick enough to view
bug 32125 must search
elsewhere for additional info and patches.
The policy of withholding security bug details is probably a well-intentioned effort to keep the details out of the hands of miscreants, but doing so is really not possible with an open-source product. It certainly is impossible once a CVE is released. This practice risks being mis-interpreted as an attempt at secrecy. It prevents the MySQL community from checking if the exploit really works in their own environment, and from testing any patches which might have been proposed in the bug.
I know it is difficult to overcome the impulse to withhold the details about security issues. Over time, however, a policy of complete openness and candor about vulnerabilities is likely to serve MySQL's reputation better. This would help distinguish MySQL's practices from those of closed-source commercial software vendors, whose actions in the face of security vulnerabilities are sometimes suspect.
CVE-2007-5925 is not a big deal as vulnerabilities go. Alas, sooner or later a serious vulnerability is likely to be discovered. I think it would be easier for MySQL to switch to a full and swift disclosure practice now - rather than wait to reconsider the policy in the face of the headlines, criticism, and stress which would accompany a more serious vulnerability report.
-tom-
Edited 2 time(s). Last edit at 12/07/2007 11:02PM by Tom Donovan.