I don’t claim to be a security expert, but I’d like opinions from people in the field, as well as database experts that view security highly. Here are some opinions from a discussion with Chad and Lenz a while ago. What do you consider a security hole, that warrants immediate action or a release of a server within a sensible timeframe?
- Remotely exploiting MySQL without login credentials
- Remotely crashing MySQL without login credentials
The above two are definite problems. What about:
- denial of service attacks
- data loss
- data changes
- data insertion
Chad tells us, “security is policy enforcement.” And the policy should state: “the service should always be available to authorized people, never to unauthrized people”.
Opinions, please. Tell me what are on the “definite list” that should be fixed within 24-hours, whats on the possibly annoying list, that should be released within 72-hours, and whats on the its an annoying bug, but its not a “high”/”large” security violation (like, Chad finds “a function SUBSTR that always returns one too few characters” a problem in his definition) which can be fixed during the next release cycle.
Also, if anyone has pointers to how other OSS projects or major release software deals with security. Say, like Mark Cox’s security information (he’s Mr. Security at Red Hat, and they’ve got some amazing turnaround times).