blog.Resource
June 19, 2008

Collective Security Bulletins (CSB), the reason for...

Category: Security

By: Lars Houmark

The TYPO3 Security Team has started a new procedure for publishing bulletins on security issues in some extensions. This procedure only covers TYPO3 third party software.

Starting today, the TYPO3 Security Team will, on a regular basis, issue a Collective Security Bulletin (CSB) for some extensions which have been found vulnerable.

The first CSB is available here, and includes 13 extensions.

Why is that?

There is a number of reasons for this, which I would like to clarify in this blog post.

The amount of extensions being reported insecure to us is increasing with the popularity of TYPO3, and with the fact that more and more website developers become more security focused which means they do their own security audit on the extensions they use. When they find one or more issues, they report it to security(at)typo3.org - the home of the TYPO3 Security Team.

Our primary object in the TYPO3 Security Team is to keep the TYPO3 Core safe and work with the authors of extensions that have been found insecure, in order to help them make their extensions secure.

Now, the TER is representing way more than 3.000 extensions. We know that a  fairly high amount of these have security issues, but many of these extensions also have a very small amount of downloads.

Creating a security bulletin is, unfortunately not, something that is done in five minutes. Therefore we have decided to collect the extensions that either have a small download amount or in other ways are not of big importance to the TYPO3 community.

This saves us for a signifiant amount of time, which we can use on, what we think, is more important subjects.

This does not mean that you should not report security issues in extensions with a small download number to us. The Collective Security Bulletin will still be read by thousands of TYPO3 professionals.

Case by case, we will decide if an extension issue will require a security bulletin on its own, or if it can be added to the next collective bulletin. In the case we decide, that the extensions will be a part of the next collective bulletin, we will allow the author to release a new fixed version immediately, instead of having to wait for the single bulletin, which takes time to prepare and publish.

Due to spam attack on buzz.typo3.org we are currently not allowing comments, but if you have any comments on this subject, please feel free to send an email to security(at)typo3.org.


comments

No comments yet. Be the first to comment on this!

Sorry, comments are closed for this post.