PauloV Posted March 25, 2014 Report Posted March 25, 2014 Hello Blestars Today more "funny" stuff append on WHMCS like many of you have recived. We are thinking on develop a plugin to Blesta called "Blesta Bug & Security Submit". Because there are some bugs and some security holes that cant go to public, like as append, and is appening to WHMCS, we have to learn with the mistakes to take steps The plugin will be a simple way to anyone that have found a bug or a security hole to immediately report to Blesta Dev's and will have the fileds: Blesta Version (will auto fill this field); All Plugins/Extensions Installed and versions (will auto fill this field); Bug/Security Rate (dropdown, you will choose betwinn LOW, HIGH, CRITICAL); Email to contact(text field, email address to be reached); URL where the Bug/Security Hole was detected (text field); Short Description of the Bug/Security Hole (textarea field); Steps to Reproduce the Bug/Security Hole (textarea field); ScreenShot of the Bug/Security Hole (upload an image); We need the aproval of the Blesta owners/devs to make this plugin, and send to an email adress they choose, and tell us, for exemple send all submited reports to security [at] blesta.com or something, or we can send a call in json to an API address also Regards, PV Quote
MemoryX2 Posted March 25, 2014 Report Posted March 25, 2014 If you do create this plugin, I think that the security aspects of it should be sent to blesta in encrypted emails. Quote
Paul Posted March 25, 2014 Report Posted March 25, 2014 We already have a policy for security related issues. See http://docs.blesta.com/display/support/Responsible+Disclosure+Policy Emailing our security department automatically opens a ticket, and we review all reports right away. We do not currently have a bounty program though. We give credit but not monetary rewards for reporting security issues. We may offer bounties in the future but we have found that most people do not download and install Blesta and test it themselves.. they run automated penetration tests on our live systems and cause headaches for our infrastructure. PauloV and Michael 2 Quote
PauloV Posted March 25, 2014 Author Report Posted March 25, 2014 We already have a policy for security related issues. See http://docs.blesta.com/display/support/Responsible+Disclosure+Policy Emailing our security department automatically opens a ticket, and we review all reports right away. We do not currently have a bounty program though. We give credit but not monetary rewards for reporting security issues. We may offer bounties in the future but we have found that most people do not download and install Blesta and test it themselves.. they run automated penetration tests on our live systems and cause headaches for our infrastructure. A bounty program dosent mean "to take credit" or "money" the "bounty" is just a name we have added/suggested to "catch" or "detect" a bug or security hole, noting more and nothing less But,if you take the "Bounty" name in count, we could make as a "Top member" that it could display a status of the Top Members that have detected bugs or security holes, just a top member, no monetary awards. Lol, wen I publish this post, I was not thinking in any award or money, just a simple plugin to easy post things to blesta devs I have to change the name "Bounty" eheh Quote
Michael Posted March 25, 2014 Report Posted March 25, 2014 I personally think this would be pointless, just because I don't see why you need it, if it was for Plugin / modules / gateway developers to submit a easy list of their bug change report, that might be interesting. PauloV 1 Quote
PauloV Posted March 25, 2014 Author Report Posted March 25, 2014 I personally think this would be pointless, just because I don't see why you need it, if it was for Plugin / modules / gateway developers to submit a easy list of their bug change report, that might be interesting. Good point We could get the "email adress" from the plugin/extension creator, and we could submit bugs or report security holes The thinking is, because sometimes we find a bug, and we think "I have to report this, but now I dont have time, maybe later" and then we forgot and the bug still is present. If we had a plugin to easly send bug reports everyne will report bugs found insted of getting a forum login account and report, or send a support ticket to blesta. Quote
Paul Posted March 25, 2014 Report Posted March 25, 2014 I have to change the name "Bounty" eheh Yeah, I wouldn't put the word bounty in it, many people assume there is a monetary award. In theory the plugin sounds like a good idea, but don't forget that they first have to install it. Most people won't go through the effort. PauloV 1 Quote
Michael Posted March 25, 2014 Report Posted March 25, 2014 Good point We could get the "email adress" from the plugin/extension creator, and we could submit bugs or report security holes The thinking is, because sometimes we find a bug, and we think "I have to report this, but now I dont have time, maybe later" and then we forgot and the bug still is present. If we had a plugin to easly send bug reports everyne will report bugs found insted of getting a forum login account and report, or send a support ticket to blesta. I'm lazy, I only post here if I know it will help others, but I don't technically look for bugs. PauloV 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.