Open source software security

Whoops!

24 May 2010
Boy, what a terrible weekend! On Friday I found what I thought was a pretty amazing Drupal vulnerability. I reported it at the very end of the day. It was kind of a rush job as I was trying to get out the door, but I thought it was important enough that I wanted to send something in right away. I waited with anticipation for confirmation of my e-mail receipt from Drupal security. Friday night came and went with no word, Saturday waned and I stopped checking my e-mail in the late afternoon. I woke up Sunday morning to find a response from Drupal security. I was rushed (trying to get ready for my day) and I didn't read the response very closely: Thank you for contacting the Drupal Security Team. Please see http://drupal.org/node/768244 where this is being addressed within the public issue queue. Checking the site I found that the issue had been disclosed! I hadn't had my coffee so I was pretty confused. It looked like Drupal security had gotten my e-mail and then started discussing the issue publicly. I got all in a huff and sent of a smarmy e-mail asking why they would do such a thing and posted some equally crappy Tweets. I then ran out the door for other Sunday obligations.

Lessons Learned

I made several mistakes in handling the issue. First, I didn't check the public issue queue for the module in question. If I had I would have noticed on Friday that the issue was already public. Then, on Sunday, I should have looked at the dates on the public queue as they were from last month. Finally, I shouldn't have jumped to any conclusions before talking to someone at Drupal security. Sending off a nasty gram didn't do anyone any favors.

Looking Ahead

For whatever reason, dealing with Drupal security issues really brings out the worst in me, and I'm sure my bad behavior drags down others as well. Thinking back on my rather long and tumultuous history with Drupal security I'm not very proud of how I've handled many things. I've taken matters personally, gotten testy, and come to expect the worst. I approach every issue expecting the security team to receive me with hostility, which to some degree I'm sure I deserve. Because of this I'm sure my e-mails to them come off as confrontational, pompous, and aggressive. Even on a good day most people would be justifiably peeved by that kind of thing. After this weekends experience I owe the Drupal security team an apology. I shouldn't have jumped to the conclusion that they had done something wrong. They've always handled issues in their queue in strict accordance with their process. They've never given me any reason to expect otherwise. Upon reflection I'm going to step away from interaction with the Drupal security team. I'm sure they're sick of me and I'm sick of finding myself behaving badly when dealing with them. Luckily I've got a new coop starting work for me this week and another of my colleagues is starting to pick up Drupal module security review responsibilities. I'm going to turn my attention to training the new people rather than poking at Drupal directly. Hopefully spreading the knowledge and bringing new people on board will bring fresh perspective and an untainted interaction with the Drupal security team. I'm hoping this sparks a better interaction and helps to strengthen the community. I'm also hoping to produce some new articles for the main MadIrish.net site on Drupal module security review so more folks can get involved. Having more eyeballs checking Drupal code for security flaws will only make the product stronger. I'm also going to try and focus more on the productive side of Drupal. Always poking holes in Drupal is really negative and causes me to forget why I chose to use Drupal in the first place. I was a strong proponent for Drupal during the CMS evaluation and selection process for my school, and have devoted countless hours to evangelizing Drupal to other higher educational institutions as well as to my University as a whole. Drupal is a great tool, but always trying to look for problems is tainting my perspective and causing me to myopically focus only on the things that are wrong with Drupal. I'm looking forward to devoting more attention to this blog (which is a Drupal site) and other projects with Drupal at work.