[Vtigercrm-developers] Reminder: Please be a contributor than a whistleblower - on security issues.

Sutharsan J ajstharsan at gmail.com
Tue Apr 24 05:31:17 GMT 2018


Hi all

The problem is still vtiger open source is not maintained sufficiently by
the community. It is still highly coherent to it's on demand version.

I feel it would be better to make it more community contributed while
keeping top level moderators from vtiger.

I am referring fedora project here

"The *Fedora Project* is a project sponsored by Red Hat
<https://en.m.wikipedia.org/wiki/Red_Hat> primarily to co-ordinate the
development of the Linux <https://en.m.wikipedia.org/wiki/Linux>-based
Fedora <https://en.m.wikipedia.org/wiki/Fedora_%28operating_system%29>
operating
system <https://en.m.wikipedia.org/wiki/Operating_system>, operating with
the vision that the project "creates a world where free culture is
welcoming .................
Red Hat employees make up only 35% of project contributors, and most of the
over 2,000 contributors are unaffiliated members of the community
" - wiki


Thanks
Sutharsan jeganathan



On Mon, Apr 23, 2018, 9:23 PM Chris Thompson <cthompson at moderas.org> wrote:

>
> While I think the tone of this email is a bit aggressive I do find the
> comments valuable (and terrifying).  To date the tenor of this list has
> been shall we say "we're working on it" with no clear roadmap that at least
> I can follow. It's seemed a little rudderless at times. I feel if the
> vtiger team engaged a little more situations like this might be avoided.
>
> I'll add the timelines stated might be a little unreasonable as others
> besides you might like their issues worked on.
>
> Sent from my iPhone
>
> On Apr 23, 2018, at 10:07 AM, Błażej Pabiszczak <
> b.pabiszczak at yetiforce.com> wrote:
>
> @Prasad
>
> Who is all this marketing spam for? Security, safety, and data privacy
> aren’t your priorities. If that were the case you’d have a different
> approach for all these years. If we cared about publicity we’d post all
> these errors to CVE and LinkedIn, in large groups that have 100k-200k
> members, like the Open Source group. For now we just want to embarrass you,
> so that you get stuff done.
>
> The majority of the errors that we’re going to publish will be sent to you
> earlier [what email address should we send it to?] so you have some time to
> fix them; depending on the type of an error it will be 7,14, or 21 days. If
> you don’t fix them [like coreBOS does] then we’ll stop reporting them to
> you and you will find out about them on the day we publish the articles.
>
> Please don’t try to convince people that this system is safe because it
> isn’t. You’re not in touch with any security consultants; if you are you
> should change them. You’ve never had a decent security audit, and even if
> there was any it must’ve been short and a very long time ago.
>
> I’ll tell you how things are right now:
>
>    1. You don’t follow any standards as far as creating software is
>    concerned, eg. PSR
>    2. You don’t analyze the code statically improving it according to
>    current standards, eg.: https://insight.sensiolabs.com/,
>    https://scrutinizer-ci.com/, https://sonarwhal.com
>    3. You have no unit/automatic tests.
>    4. You don’t follow OWASP ASVS guidelines
>    5. You don’t fix errors, you suppress them instead, and compatibility
>    with the latest PHP versions is done with as little effort as possible.
>    6. You don’t know what libraries you use, many of them have security
>    errors. It took us several months to clean up and update libraries, how
>    long will it take you?
>    7. You don’t know under what license your libraries are, you still use
>    GPL/AGPL in your system.
>
> And what does the security look like? It’s terrible, believe me. Please
> provoke me [block me here for example] or keep saying that the system is
> safe, then I’ll do what I don’t have time to do; I’ll write a few dozen
> articles, each with critical security vulnerabilities. Please tell your
> community:
>
>    1. When are you going to update libraries to the latest versions?
>    The’re full of holes! Eg.: jQuery 2.1.1 [CVE-2015-9251, CVE-2016-10707].
>    2. When are you going to move key files away from public_html?
>    3. When are you going to start checking permissions to each module,
>    action, record; instead of what you do now, which is creating dozens of
>    weird exceptions that lower the security level?
>    4. When are you going to properly [and centrally] check/clean data
>    sent in request [especially when it comes to HTML files]
>    5. When are you going to verify security and quality of the addons in
>    https://marketplace.vtiger.com/app/listings because the products
>    available there aren’t under any control.
>    6. When are you going to present the results of security audits
>    performed by a reputable company that specializes in web applications?
>
> Every week we’ll publish 1-2 articles related to
> coreBOS/Vtiger/VTE/SuiteCRM/EPESI, I hope you change your approach and
> start improving the core of your system.
> ---
>
> Z poważaniem / Regards
> *Błażej Pabiszczak*
> M: +48.884999123
> E: b.pabiszczak at yetiforce.com
>
>
> W dniu 2018-04-20 13:44, Prasad napisał(a):
>
> I hope you are following issue tracker as well.
>
> --
> FB <http://www.facebook.com/vtiger> I Twit <http://twitter.com/vtigercrm>
>  I LIn <https://www.linkedin.com/company/1270573?trk=tyah> I Blog
> <https://blogs.vtiger.com> I Website <https://www.vtiger.com/>
>
> On Fri, Apr 20, 2018 at 5:11 PM, socialboostdk <socialboostdk at gmail.com>
> wrote:
>
>> +1
>>
>> Also avoid using users email to hash passwords. Its crap + means that you
>> cannot change email without also changing password...
>>
>> On 20 April 2018 at 13:31, Conrado Maggi <comaggi at gmail.com> wrote:
>>
>>> Basically, Not doing this:
>>> https://unsecure.blog/en/114-vtigercrm-storing-passwords-in-md5.html
>>>
>>> Conrado
>>>
>>> On Fri, Apr 20, 2018 at 12:22 PM, Prasad <prasad at vtiger.com> wrote:
>>>
>>>> Thank you for the references. We are in touch with few wise security
>>>> advisories as well.
>>>>
>>>> The intent behind the post was to raise the awareness of quality of
>>>> information that need to be exchanged
>>>> when understanding the security issue.
>>>>
>>>> Regards,
>>>> Prasad
>>>>
>>>>
>>>> --
>>>> FB <http://www.facebook.com/vtiger> I Twit
>>>> <http://twitter.com/vtigercrm> I LIn
>>>> <https://www.linkedin.com/company/1270573?trk=tyah> I Blog
>>>> <https://blogs.vtiger.com> I Website <https://www.vtiger.com/>
>>>>
>>>> On Fri, Apr 20, 2018 at 3:20 PM, IT-Solutions4You <info at its4you.sk>
>>>> wrote:
>>>>
>>>>> I found this interesting project
>>>>> https://hacktrophy.com/en/price-ethical-hacking/
>>>>>
>>>>> I think to contact them for scanning vtiger. Maybe you(vtiger) can
>>>>> cooperate, basically it's your software ;-)
>>>>>
>>>>> Matus
>>>>>
>>>>> Dňa 20. 4. 2018 o 10:54 Prasad napísal(a):
>>>>>
>>>>>> Dear members,
>>>>>>
>>>>>> Security and Data-Privacy is our top priority.
>>>>>>
>>>>>> Without providing much details citing security concern on public
>>>>>> channels is more like whistleblowing, which does no good but creates
>>>>>> suspicion in those who aren't full aware of the details.
>>>>>>
>>>>>> If you are aware of a security risk or suspect a possible hole that
>>>>>> can give attacker ability to gain customer data, please feel to reach
>>>>>> to us
>>>>>> with complete details or file the issue on our tracker to keep our
>>>>>> community informed.
>>>>>>
>>>>>> Regards,
>>>>>> Prasad
>>>>>>
>>>>>> _______________________________________________
>>>>>> http://www.vtiger.com/
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> http://www.vtiger.com/
>>>>
>>>> _______________________________________________
>>>> http://www.vtiger.com/
>>>
>>> _______________________________________________
>>> http://www.vtiger.com/
>>
>>
>> _______________________________________________
>> http://www.vtiger.com/
>
>
> _______________________________________________
> http://www.vtiger.com/
>
> _______________________________________________
> http://www.vtiger.com/
>
> _______________________________________________
> http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20180424/bf8539df/attachment-0001.html>


More information about the vtigercrm-developers mailing list