Minor vulnerability workflow disclosure

Abstract

As the first Alpha version of MyBB 2.x approaches, the Team needs to establish basic workflow scheme regarding changes in the code which disclosure may lead to compromising the security of MyBB installations in the sake of simplicity of operations and transparency (proposed by Euan T.).

This RFC defines a non-critical security issue as any issue that has been assessed by the MyBB team and deemed non-critical on the basis that exploiting the issue cannot lead to significant damage to the installation, its users nor its environment.

Proposed question

Should the workflow for fixing non-critical security issues in MyBB 2.x and later be public?

• Yes
• No
• Abstain

Effects & Implications

• Public: increased simplicity and transparency; possible support from the Community in preparing security fixes. Minor security issues would be placed and worked on in the public repository and therefore disclosed before a proper patch is released.

• Private: all issues related to security would be prepared internally. Disclosure of these issues would happen simultaneously with a release containing appropriate patches for the same issues. Proper procedures and technical details would need to be established to assure optimal workflow.

Justification

We want to ship Alpha 1 this year, in order to do that there needs to be a clear endpoint, a finite set of features that we commit to deliver before we ship Alpha 1.

Metadata

• First draft: 31 Aug 2015
• Author(s): Devilshakerz
• Status: Accepted with answer Yes