Please take security seriously. Here are suggestions,
I can assure you we take Security very seriously.
We have lost serious levels of sleep simply confirming whether threats are indeed correct and then creating fixes where necessary.
We communicate across boundaries, as in this case with former members of Team Mambo at http://www.mamboguru.com
(and thanks for their assistance).
1. A dedicated webpage listing all current security vunerabilities, and the appropriate fixes.
As it happens this is on the todo list, but as always this takes time to do and the priority has been coding, so this project has not been started yet unfortunately. But rest assured it is something that I have personal interest in seeing created.
2. If risk is high then instructions on patching users current version should be given, along with which version the fix has been(will be) incorporated. never force people to upgrade, as it leave sites flapping in the breaze as they have the extra task of seeing if the upgrade breakes anything else. (example - upgrading from 1.0.7 breaks the mosCE editor, plus a few other things as well.)
* The usual case when a security vulnerability is found - of any nature, is that an analysis is done to secure the codebase from future attacks of similar nature and additional hardening is taken.
* By its nature a dedicated security patch to fix a specific vulnerability would only secure you from that particular vulnerability and would not have the additional security hardening that occurs - as occured in this case, where additional hardening has indeed been introduced. This hardening then lessens the likelihood of future attacks occurring - premptive defense.
* Releasing dedicated security patches to address High to Critical level threats will probably encourage users to maintain earlier versions of the codebase, meaning that they will not benefit from security to Medium to Low level threats.
* Some fixes are dependent on a large number of fixes over a large number of files, that are dependent on Code introduced in progressive releases of the codebase, so there is no garuantee that a suggested fix will properly protect the earliest versions of the codebase, which may not have the other dependent code. The only way this can be assured is by using Full Releases.
Cumulative use of Specific security patches may not be as effective as the Full Release.
* Most users do not have the ability, proffiency or confidence to introduce specific security code changes themselves
* If you release Security Patch files with the security changes (not simply posting the fixes for users to code themselves), you would most probably need to release versions for every version of the codebase to cover any differences between them, which would be about as much work for the Team as releasing a Full release.
3. Never tell people just to wait until the next version, again it leaves sites flapping in the breaze, vunerable to hackers.ime.
Our response is predicated by the nature of a security vulnerability found. For Critical Level threats (our highest rating) we work towards a 24-48 hour release response.
For High Level or lesser bugs a longer period maybe taken dependent on the nature of the threat - as occurred here, where the nature of the threat meant its severity was to a certain extent limited.