(10-26-2010 08:24 AM)MattF Wrote: So if anyone did happen to find an exploit in your code, you'd rather they make it public knowledge before notify you? If so, I'll digress now, because that attitude is nothing more than either stupidity or arrogance. No-one turns out perfect code 100% of the time, and to suggest you would rather an exploit be made public knowledge than be given the opportunity to patch/repair it before that is just a stupid stance to take.
I don't really have a preference actually. Whether they report it publicly or privately is their choice.
I would MUCH rather it being reported, through any means, rather than it being kept private. Only then do I have the ability to improve.
And no, I don't expect that my code is 100% perfect, but similarly, if there is an issue in it (within reason), I'm 100% responsible for it.
Code
can be made exploit free with good design (of course, this is rarely followed). If you code correctly, the probability that there actually will be an exploit will be close to 0%. No-one turns out 100% perfect code, but you can certainly get close to it.
Anyway YES, it IS nicer to report privately (for most people that is; I don't mind either way), just as it IS nicer to donate your life savings to charity, or spend your whole life developing for a free project.
I'm saying here that I'm not that sort of person and I don't have the time for it. I have tried
many,
many times in the past to report issues, but practically they've been ignored every single time. And this is all the SAME problem. This is NOT a case of people merely making mistakes. This IS a case of the community just being stupid as a whole,
and simply refusing to learn (assuming they ever had the ability to do so to begin with).
I presume you're talking mostly from the point of view of an outsider, but once you've actually experienced how bad customisations generally are, perhaps you'll understand better. A systematic problem requires a systematic fix, and your solution is simply a waste of time.
Now, just to make something clear to you, I really don't care about my end users. I used to, but after a while, I lost interest (I won't go into reasons). I code for myself. If I can improve, I'll do it. I've expressed that there is no warranty over my code, so if a whole heap of forums get exploited, it doesn't affect me. Thus I don't care if an exploit is made public or not - it makes no difference to me.
I don't care what people think of me. I never did, and I'm not trying to appear altruistic like many others out there (who really aren't) and hide hidden agendas. So think of me any way you wish.
And FYI, MANY exploits are made public because the large companies behind the product simply refuse to put the effort to fix anything unless it's made public. How about we just ditch this stupid additional process and jump straight to the point already?
Actually, I don't think I'll bother. I don't know why I should even bother wasting time pointing out this. Leave the exploits in the code, maybe some hacker will discover it and put it to his advantage some time.