[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

New developments in the LedgerSMB Team's approach to Security

The LedgerSMB team is adopting a process by which older security
tickets will be "declassified" and moved from a private Sourceforge
tracker to a public one.  This is being done as part of our continued
efforts to better the security of our software.

These reports may include sensitive security information including
actual exploits, and our discussions that surround fixing them.  It is
hoped that adopting a responsible process in this regard will help to
better security of our users in the following ways:

1)  By helping security scanning vendors (and internal network
security teams) develop automated tests for older vulnerabilities
2)  By providing more opportunities for feedback on how we handle
security and how we respond to security issues.

Please note that our source code repository is public, so malicious
individuals can always read security advisories, then go review the
sections of code which have been changed.  It is thus important to
remember that one should keep up to date with the software in order to
stay protected.

These tracker items will not be declassified immediately when an
advisory is released, in order to give administrators a chance to
upgrade their systems.  However, once a reasonable timeframe has
occurred, we will make the information available.

Currently all security tracker items fixed by versions through 1.2.0
have been declassified.  You can view them by looking up the closed
items on the Stale Security tracker.  As always, feedback is welcome.

Best Wishes,
Chris Travers