Policy of least disclosure explained

Posted on July 24, 2009 by Marcus.

On the TYPO3 Security Team website section you'll find a paragraph on incident handling. There it is mentioned that the TYPO3 Security Team does follow a policy of least disclosure. Have you ever asked yourself what this actually means?

For the TYPO3 Security Team this means that the team will publish bulletins/advisories for every vulnerability in TYPO3 Core or in TER listed extensions that has been reported and finally fixed. The bulletin itself will only contain the least necessary facts of vulnerabilities that are needed to know if a user might be affected and what the possible impact would be.

The TYPO3 Security Team will not publish exploit or proof of concept code; such critical information is only exchanged between the reporter of the vulnerability, the TYPO3 Security Team itself and either the TYPO3 Core Team or the extension maintainer.

 

The benefits for TYPO3 user:
By subscribing to the announce mailinglist (more on basic steps in my first things first blog post) you'll be informed about any vulnerability found in TYPO3 Core or TER listed extensions. There's no ready-to-be-used exploit code which means that a Black Hat needs to put some efforts in thinking and coding before he's able to exploit a vulnerability.

Needs and expectations by the TYPO3 Security Team:
In order to maintain this least disclosure policy, the TYPO3 Security Team expects to get involved in every vulnerability fixing process. So please contact us if

• you've discovered a vulnerability in TYPO3 Core or a TER listed extension
• you've been reported or found by yourself a vulnerability in your own extension

The TYPO3 Security Team has created an Extension Security Policy some time ago. Please make sure you've read it!