Today, Rapid7 is disclosing 9 vulnerabilities that affect 3 open-source projects: EspoCRM, Pimcore, and Akaunting. Right out of the gate, I'd like to give a special thanks to these 3 open-source project maintainers. While it's never great to learn of new vulnerabilities in your own product, all 3 project maintainers accepted, validated, and provided fixes for these vulnerabilities within one day, which is amazing when it comes to vulnerability disclosure. EspoCRM was notified on May 4, 2021 and patched source on May 5; Akaunting, on May 13 and turned it around on May 14; and Pimcore validated their vulnerabilities on April 29 after learning about them on April 28, 2021. Nice work, all around.
Now, I'm not sure why open source is just so much faster than the typical proprietary software vuln-patching pipeline, at least for the disclosures I've been involved in. It might be because, in open source, you're almost guaranteed to have your first communication with a hands-on-keyboard software engineer who is personally and emotionally invested in the software; whereas in proprietary land, first contact might be a lightly monitored support alias, staffed by a third-party provider. Rapid7's vulnerability disclosure process assumes a minimum of 60 days for remediation of any vulnerability we report to a vendor, and I'd say about half the time, we're looking at more like 90 to 120 days from report to disclosure — and, sometimes, we are left with the unhappy option of publishing without a fix in hand at all.
Of course, proprietary software occasionally offers fast turnaround times on validation and fixes to source, as well (SonicWall co ..
Support the originator by clicking the read the rest link below.