Apparently Stefan Esser (a key player in PHP's Security Response Team) has called it quits. Steffen is known for finding
various vulnerabilities in PHP and working with the PHP Security team to identify and prevent issues in PHP itself. From his
blog (Mirroring since his site appears to be getting slammed hard):
"Last night I finally retired from the PHP Security Response Team, that was initially my idea a few years ago.
The reasons for this are many, but the most important one is that I have realised that any attempt to improve the
security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP's
security problems on the user but the moment you criticize the security of PHP itself you become persona non grata.
I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin.
For the ordinary PHP user this means that I will no longer hide the slow response time to security holes in my advisories.
It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team
refused to fix them for months. It will also mean that there will be a lot more advisories about security holes in PHP."
– Steffen Esser
This is surely bad news to those of you using PHP and I surely hope that attitudes within the PHP developer community
start changing soon. This sort of attitude is often seen in closed source projects and reminds us that open source
projects are not immune.
ISC Link: http://isc.sans.org/diary.php?storyid=1926
Blog Link: http://blog.php-security.org/archives/61-Retired-from-securityphp.net.html
Response Link: http://www.suraski.net/blog/index.php?/archives/15-Stefan-Esser-quits-securityphp.net.html
