[Vtigercrm-developers] Reminder: Please be a contributor than a whistleblower - on security issues.

Chris Thompson cthompson at moderas.org
Mon Apr 23 15:52:23 GMT 2018 

While I think the tone of this email is a bit aggressive I do find the comments valuable (and terrifying).  To date the tenor of this list has been shall we say "we're working on it" with no clear roadmap that at least I can follow. It's seemed a little rudderless at times. I feel if the vtiger team engaged a little more situations like this might be avoided. 

I'll add the timelines stated might be a little unreasonable as others besides you might like their issues worked on. 

Sent from my iPhone

> On Apr 23, 2018, at 10:07 AM, Błażej Pabiszczak <b.pabiszczak at yetiforce.com> wrote:
> 
> @Prasad
> 
> Who is all this marketing spam for? Security, safety, and data privacy aren’t your priorities. If that were the case you’d have a different approach for all these years. If we cared about publicity we’d post all these errors to CVE and LinkedIn, in large groups that have 100k-200k members, like the Open Source group. For now we just want to embarrass you, so that you get stuff done.
> 
> The majority of the errors that we’re going to publish will be sent to you earlier [what email address should we send it to?] so you have some time to fix them; depending on the type of an error it will be 7,14, or 21 days. If you don’t fix them [like coreBOS does] then we’ll stop reporting them to you and you will find out about them on the day we publish the articles.
> 
> Please don’t try to convince people that this system is safe because it isn’t. You’re not in touch with any security consultants; if you are you should change them. You’ve never had a decent security audit, and even if there was any it must’ve been short and a very long time ago.
> 
> I’ll tell you how things are right now:
> 
> You don’t follow any standards as far as creating software is concerned, eg. PSR
> You don’t analyze the code statically improving it according to current standards, eg.: https://insight.sensiolabs.com/, https://scrutinizer-ci.com/, https://sonarwhal.com 
> You have no unit/automatic tests.
> You don’t follow OWASP ASVS guidelines
> You don’t fix errors, you suppress them instead, and compatibility with the latest PHP versions is done with as little effort as possible.
> You don’t know what libraries you use, many of them have security errors. It took us several months to clean up and update libraries, how long will it take you?
> You don’t know under what license your libraries are, you still use GPL/AGPL in your system.
> And what does the security look like? It’s terrible, believe me. Please provoke me [block me here for example] or keep saying that the system is safe, then I’ll do what I don’t have time to do; I’ll write a few dozen articles, each with critical security vulnerabilities. Please tell your community:
> 
> When are you going to update libraries to the latest versions? The’re full of holes! Eg.: jQuery 2.1.1 [CVE-2015-9251, CVE-2016-10707].
> When are you going to move key files away from public_html?
> When are you going to start checking permissions to each module, action, record; instead of what you do now, which is creating dozens of weird exceptions that lower the security level?
> When are you going to properly [and centrally] check/clean data sent in request [especially when it comes to HTML files]
> When are you going to verify security and quality of the addons in  https://marketplace.vtiger.com/app/listings because the products available there aren’t under any control.
> When are you going to present the results of security audits performed by a reputable company that specializes in web applications?
> Every week we’ll publish 1-2 articles related to coreBOS/Vtiger/VTE/SuiteCRM/EPESI, I hope you change your approach and start improving the core of your system.
> 
> ---
> Z poważaniem / Regards
> 
> Błażej Pabiszczak
> M: +48.884999123
> E: b.pabiszczak at yetiforce.com
> 
> 
> W dniu 2018-04-20 13:44, Prasad napisał(a):
> 
>> I hope you are following issue tracker as well.
>> 
>> --
>> FB I Twit I LIn I Blog I Website
>> 
>>> On Fri, Apr 20, 2018 at 5:11 PM, socialboostdk <socialboostdk at gmail.com> wrote:
>>> +1
>>>  
>>> Also avoid using users email to hash passwords. Its crap + means that you cannot change email without also changing password...
>>> 
>>>> On 20 April 2018 at 13:31, Conrado Maggi <comaggi at gmail.com> wrote:
>>>> Basically, Not doing this: https://unsecure.blog/en/114-vtigercrm-storing-passwords-in-md5.html 
>>>>  
>>>> Conrado
>>>> 
>>>>> On Fri, Apr 20, 2018 at 12:22 PM, Prasad <prasad at vtiger.com> wrote:
>>>>> Thank you for the references. We are in touch with few wise security advisories as well.
>>>>>  
>>>>> The intent behind the post was to raise the awareness of quality of information that need to be exchanged
>>>>> when understanding the security issue.
>>>>>  
>>>>> Regards,
>>>>> Prasad
>>>>>  
>>>>> 
>>>>> --
>>>>> FB I Twit I LIn I Blog I Website
>>>>> 
>>>>>> On Fri, Apr 20, 2018 at 3:20 PM, IT-Solutions4You <info at its4you.sk> wrote:
>>>>>> I found this interesting project
>>>>>> https://hacktrophy.com/en/price-ethical-hacking/
>>>>>> 
>>>>>> I think to contact them for scanning vtiger. Maybe you(vtiger) can cooperate, basically it's your software ;-)
>>>>>> 
>>>>>> Matus
>>>>>> 
>>>>>> Dňa 20. 4. 2018 o 10:54 Prasad napísal(a):
>>>>>>> Dear members,
>>>>>>> 
>>>>>>> Security and Data-Privacy is our top priority.
>>>>>>> 
>>>>>>> Without providing much details citing security concern on public channels is more like whistleblowing, which does no good but creates suspicion in those who aren't full aware of the details.
>>>>>>> 
>>>>>>> If you are aware of a security risk or suspect a possible hole that
>>>>>>> can give attacker ability to gain customer data, please feel to reach to us
>>>>>>> with complete details or file the issue on our tracker to keep our community informed.
>>>>>>> 
>>>>>>> Regards,
>>>>>>> Prasad
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> http://www.vtiger.com/
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> http://www.vtiger.com/
>>>>> _______________________________________________
>>>>> http://www.vtiger.com/
>>>> _______________________________________________
>>>> http://www.vtiger.com/
>>> 
>>> _______________________________________________
>>> http://www.vtiger.com/
>> 
>> _______________________________________________
>> http://www.vtiger.com/
> _______________________________________________
> http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20180423/168c4197/attachment.html>

More information about the vtigercrm-developers mailing list