Jump to content

[Bug & Security Submit Plugin] - Your Thoughts

PauloV

By PauloV
in The Lounge

 Share

Recommended Posts

PauloV Newbie

PauloV

Posted
Posted

Hello Blestars :)

 

Today more "funny" stuff append on WHMCS like many of you have recived.

 

We are thinking on develop a plugin to Blesta called "Blesta Bug & Security Submit".

 

Because there are some bugs and some security holes that cant go to public, like as append, and is appening to WHMCS, we have to learn with the mistakes to take steps :)

 

The plugin will be a simple way to anyone that have found a bug or a security hole to immediately report to Blesta Dev's and will have the fileds:

Blesta Version (will auto fill this field);
All Plugins/Extensions Installed and versions (will auto fill this field);
Bug/Security Rate (dropdown, you will choose betwinn LOW, HIGH, CRITICAL);
Email to contact(text field, email address to be reached);
URL where the Bug/Security Hole was detected (text field);
Short Description of the Bug/Security Hole (textarea field);
Steps to Reproduce the Bug/Security Hole (textarea field);
ScreenShot of the Bug/Security Hole (upload an image);

We need the aproval of the Blesta owners/devs to make this plugin, and send to an email adress they choose, and tell us, for exemple send all submited reports to security [at] blesta.com or something, or we can send a call in json to an API address also :)

 

Regards,

PV

Link to comment
Share on other sites
Paul Community Regular

Paul

Posted
Posted

We already have a policy for security related issues. See http://docs.blesta.com/display/support/Responsible+Disclosure+Policy

 

Emailing our security department automatically opens a ticket, and we review all reports right away. We do not currently have a bounty program though. We give credit but not monetary rewards for reporting security issues. We may offer bounties in the future but we have found that most people do not download and install Blesta and test it themselves.. they run automated penetration tests on our live systems and cause headaches for our infrastructure.

Link to comment
Share on other sites
PauloV Newbie

PauloV

Posted
  • Author
Posted

We already have a policy for security related issues. See http://docs.blesta.com/display/support/Responsible+Disclosure+Policy

 

Emailing our security department automatically opens a ticket, and we review all reports right away. We do not currently have a bounty program though. We give credit but not monetary rewards for reporting security issues. We may offer bounties in the future but we have found that most people do not download and install Blesta and test it themselves.. they run automated penetration tests on our live systems and cause headaches for our infrastructure.

 

 

A bounty program dosent mean "to take credit" or "money" :) the "bounty" is just a name we have added/suggested to "catch" or "detect" a bug or security hole, noting more and nothing less :)

 

But,if you take the "Bounty" name in count, we could make as a "Top member" that it could display a status of the Top Members that have detected bugs or security holes, just a top member, no monetary awards.

 

Lol, wen I publish this post, I was not thinking in any award or money, just a simple plugin to easy post things to blesta devs :)

 

I have to change the name "Bounty"  eheh :P

Link to comment
Share on other sites
PauloV Newbie

PauloV

Posted
  • Author
Posted

I personally think this would be pointless, just because I don't see why you need it, if it was for Plugin / modules / gateway developers to submit a easy list of their bug change report, that might be interesting. 

 

Good point :)

 

We could get the "email adress" from the plugin/extension creator, and we could submit bugs or report security holes :)

 

The thinking is, because sometimes we find a bug, and we think "I have to report this, but now I dont have time, maybe later" and then we forgot and the bug still is present.

 

If we had a plugin to easly send bug reports everyne will report bugs found insted of getting a forum login account and report, or send a support ticket to blesta.

 

:)

Link to comment
Share on other sites
Paul Community Regular

Paul

Posted
Posted

I have to change the name "Bounty"  eheh :P

 

Yeah, I wouldn't put the word bounty in it, many people assume there is a monetary award.

 

In theory the plugin sounds like a good idea, but don't forget that they first have to install it. Most people won't go through the effort.

Link to comment
Share on other sites
Michael Apprentice

Michael

Posted
Posted

Good point :)

 

We could get the "email adress" from the plugin/extension creator, and we could submit bugs or report security holes :)

 

The thinking is, because sometimes we find a bug, and we think "I have to report this, but now I dont have time, maybe later" and then we forgot and the bug still is present.

 

If we had a plugin to easly send bug reports everyne will report bugs found insted of getting a forum login account and report, or send a support ticket to blesta.

 

:)

 

I'm lazy, I only post here if I know it will help others, but I don't technically look for bugs.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...