Well, as I said we debated this endlessly. There was a website (whose URL I forget, I think it might have been part of SANS or CERN) that posted system-level security problems weekly. It could be an eye-opener for those who complained that Windows was the buggiest thing ever, since the other OS flavors often reported as many if not more security-related bugs. I don't know what their source was. In any case, simply reporting that there is a hole in a plug-in, without specifying what it is, would probably be a good middle road. Regards, Jerry Schwartz The Infoshop by Global Information Incorporated 195 Farmington Ave. Farmington, CT 06032 860.674.8796 / FAX: 860.674.8341 www.the-infoshop.com www.giiexpress.com www.etudes-marche.com -----Original Message----- From: dokuwiki-bounce@xxxxxxxxxxxxx [mailto:dokuwiki-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Keltz Sent: Wednesday, March 12, 2008 11:00 AM To: dokuwiki@xxxxxxxxxxxxx Subject: [dokuwiki] Re: Handling security issues in DokuWiki plugins On 03/12/08 10:51, Jerry Schwartz wrote: > That is somewhat dangerous, since it could lead to unwanted experimentation. > We can't assume that there aren't eavesdroppers on this list. > > When I worked for a major vendor in the software (and hardware) field, this > was debated endlessly. We always fell back on the position that we would > announce a security hole when the a patch was available, not before. That being said, if they are going to post the vulnerability on the Wiki page, and not e-mail it, I may not find out about it until someone has hacked my Wiki site. Jason. -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist