On our security policies

We take software security very seriously at Best Practical. Weregularly conduct audits of our own code and make security releases (including patches for all supported previous versions) for the vulnerabilties that we find. We want to ensure that the software we produce — which is often used to track security incidents — is not itself the cause of any.

We thus wish to make clear that the recent claim of a SQL injection vulnerability (since retracted) in RT is incorrect. We were notified via email on the 10th, and immediately examined the report. Within a few hours we had verified that the claimed exploit did not function according to the author's claims, and replied to the reporter accordingly, asking for further information.

Best Practical believes in responsible disclosure; namely, that vulnerabilities should be reported to the vendor privately, and then a timeline should be jointly established upon which the vulnerability will be made public. This allows sufficient time to examine the problem, come to a minimally-invasive solution which addresses the root cause, and prepare patches for all relevant supported versions of RT — while balancing this against the threat that the vulnerability is already being exploited in the wild. Past security researchers who have reported potential vulnerabilities have been excellent about discussing timeframes for public release of the weaknesses they have found.

Unfortunately, the author of the above report did not wait for a response from us before publishing his mistaken findings. Publishing unverified vulnerabilities can easily cause unnecessary CVEs (CVE-2013-3525 was assigned to this one) and confusion for vendors and users of the software. In this case, the Debian security team, who we've worked with in the past, picked up the report and contacted us to verify it. At that point in time, we decided to publish this notice.

If you ever believe you have found a vulnerability in our software, please report it to security@bestpractical.com so we can work together to verify it and resolve it in a timely manner. We also appreciate if you provide a PGP public key, so we can encrypt any security-sensitive communication. This information is, as always, available from bestpractical.com/security/

Share this post: