German researcher Stefan Esser has quit the PHP Security Response Team in disgust, accusing the open-source group of hiding the slow response time to fixing vulnerabilities and, even worse, refusing to fix known flaws for months.
Esser, one of the most prominent open-source security gurus, has "retired" from firstname.lastname@example.org -- a group he founded -- to concentrate on Suhosin, the double-barreled protection system for PHP installations.
"I have realized that any attempt to improve the security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata," Esser said in an entry. "I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin."
Esser said he will no longer hide the slow response time to security holes in advisories, adding that some alerts will be published without patches available, "because the PHP Security Response Team refused to fix them for months."
"It will also mean that there will be a lot more advisories about security holes in PHP," he warned.
Esser's damning exit is a major blow for the Apache-backed PHP project, which was created in 1995 by Rasmus Lerdorf and has enjoyed startling usage growth since 1999 (Yahoo is among the high-profile early adopters).
So far, we have not heard the other side of the story -- the PHP folks have not publicly responded to Esser's criticisms -- but this can't be good for PHP users and those that make the argument that open-source, by its very nature, is much more forthcoming about defects and security problems.
For full story:
http://securitywatch.eweek.com/open_sou ... sgust.html