Free Security Audits

August 1st, 2008 | by Stefan Esser |

When I received the following mail today I was very amused, because the TikiWiki developers seem to have a very obscure idea how to enhance the security of their product.

In the past you have found some vulnerabilities in Tikiwiki that we
have fixed based on your advice. The Tikiwiki community is about to
release Tikiwiki 2.0: 

http://info.tikiwiki.org/tiki-read_article.php?articleId=34 

We have released Tikiwiki 2.0 Release Candidate 4 based on the reports
received. You may want to test this new release. 

This is a unique chance for you to contribute to Tikiwiki security by
analysing the release candidate and let us know of security issues
that we need to patch before release. 

Your name or company can be quoted in the release information of
Tikiwiki if you wish so. 

Don't miss this opportunity of making Tikiwiki secure and having
great referrals for your work. 

Please report any vulnerability to security@tikiwiki.org

It seems over there at TikiWiki.org someone thought it would be a good idea to SPAM security researchers that already disclosed vulnerabilities in TikiWiki and convince them to audit TikiWiki for free.

Sorry guys but this type of mail and especially its wording counts as SPAM.

  1. 14 Responses to “Free Security Audits”

  2. By fukami on Aug 1, 2008 | Reply

    First comment ;P

  3. By Eran Galperin on Aug 1, 2008 | Reply

    You can’t fault them for approaching past contributors. Being that it’s an open-source project, you don’t expect them to pay for contributions do you?

  4. By Stefan Esser on Aug 1, 2008 | Reply

    Well the problem is not that they approach past contributors, the problem is that the whole mail is worded like a spam email.

    “This is a unique chance for you”
    “Don’t miss this opportunity”
    “referrals for your work”

    And this is actually not the first time that I received this email. I received this mail several times by now. (Most probably with every new RC release).

    BTW: other projects like phpBB collect money and pay for security audits

  5. By Al on Aug 1, 2008 | Reply

    There’s nothing wrong with open source projects kindly asking for people’s help (be it security-related or otherwise) but trying to pass it as a “unique chance or “opportunity” is a bit too much :)

    A question to Stefan: would you have had a different reaction if they had just said something like “we’re going to release 2.0, we’re grateful you’ve helped us in the past and it would be awesome if you could take a look at our new version” ?

  6. By Stefan Esser on Aug 1, 2008 | Reply

    Al, I usually help out people when my time allows it. For example I recently helped the guys at FluxBB.org (which is a fork of PunBB) and disclosed several vulnerabilities to them, although it is “just” a BETA and I therefore cannot even release an advisory for it ;)

  7. By Tr4c3 on Aug 1, 2008 | Reply

    lol…
    Visit this from http://blog.php-security.org/archives/96-This-blog-is-dead.html

    Good luck for you.

  8. By Nyloth on Aug 7, 2008 | Reply

    Stefan,

    It seems your reaction was a bit exaggerated and probably influenced by two things: the way it was formulated (on which I agree, but was written by a non-english native) and the fact that you saw this as a request to obtain a security audit for free (and even on a “beta” - which is in fact an RC - were you will not be able to publish your advisory to become a celebrity ;).

    Well, I think you just misunderstood the goals or the spirit of the mail.

    The TikiWiki community has worked for many months to improve it’s software, even in security terms. The security team consider security issues as the most important thing. So, it’s unfair to use terms like “obscure”, which is completely wrong.

    In this particular case, the goal was to inform people that already reported security flaws in the past, that a new major version is about to be released as stable.

    I think that you can’t blame a community to gently ask for comments before releasing, trying to offer people something as secure as possible, instead of publishing and only looking for security holes after (this is good for your you, but bad for the users).

  9. By Stefan Esser on Aug 7, 2008 | Reply

    Nyloth,

    Your idea of how, why and when a security researcher discloses security vulnerabilities is very black and white (and offending).

  10. By dthacker on Aug 7, 2008 | Reply

    So let’s see
    1) A project that you have called out for security errors in the past acknowledges that they should pay more attention, and asks if you would look at their code.
    2) Something in the wording of the request offends you, so you submit the project to public ridicule.

    Why not respond to the project instead public ridicule? A simple “No, and take me off your list” would have sufficed.

    I’d be interested in hearing why you are offended by Nyloth’s statements.

  11. By Stefan Esser on Aug 7, 2008 | Reply

    dthacker:

    1) They did not ask for help. They spammed a group of people that did not ask to get emailed and tried to convince them to audit their release candidate with arguments like:
    “This is a unique chance for you”
    “Don’t miss this opportunity”
    “referrals for your work”

    2) “public ridicule” - give me a break. It was their decision to send out SPAM. I merely documented it.

    3) You obviously don’t know rule number one. Never ever reply to SPAM mail.

    4) Nyloth’s statement and the mail show that they believe security researchers only commit to open source projects to become more famous, to get some personal gain out of it, to release advisories for final products.
    This kind of thinking is very common among open source developers and it is offending to every security researcher that commits his own free time to find bugs.

  12. By dthacker on Aug 7, 2008 | Reply

    Argh! The project is trying to get more secure, not offend people. In your opinion, what’s the proper way to make that contact? I understand that you’re offended, but I don’t see what could have been done differently. If you never solicit feedback from security people, you’re never going to be more secure. That’s what this was all about. Is there a “politically correct” way to approach a security person?

  13. By Stefan Esser on Aug 7, 2008 | Reply

    What is so hard about just asking if they want to take a look. You don’t need to promise them a unique opportunity or whatever.

  14. By Nyloth on Aug 8, 2008 | Reply

    Stefan,

    I think you misunderstood once again. I was not speaking about others security researchers. You’re the only one to amuse yourself publicly with a mail that was not very well formulated.

    You are speaking about my ‘offending’ purposes. I think you didn’t thought that your action and the terms you used (like ‘obscure idea’) was a better example of something that could be qualified of ‘offending’.

    And, in fact, I did not want to be offending. I simply made suppositions based on what you said.

    You said “convince them to audit TikiWiki for free”, which seemed to me that we are not at all in the same spirit. I agree about the wording, but your blog post was titled as “Free Security Audits”, nothing to do with “SPAM” it seems.

    You was so ‘offended’ that you missed my primarily message. Too bad, really. By the way, thanks for your comments.

    Nyloth.

  1. 1 Trackback(s)

  2. Sep 11, 2008: Wir brauchen "Free Security Audit"! | PHP MySQL rapid prototyping & Sicherheit

Post a Comment