Minetest Forums

[rubenwardy]

Around the time that I discovered the 3D armor item duplication vulnerability, I mentioned that I would be providing a more thorough explanation of the vulnerability with the aim of helping other mod developers to avoid the same mistake. I also specifically stated that I would wait at least 1 month before doing so, to give server owners a chance to update to the fixed version of the 3D armor mod. I was warned, by yourself no less if I remember correctly, that this would constitute a violation of the forum rules as it would potentially be aiding cheaters in figuring out how to exploit the vulnerability (honestly though the vulnerability was simple enough that it's hard to explain or even describe without giving almost everything away).

The aim is to make it hard for script kiddies to just download a mod / program, and use it. Talking about vulnerabilities and responsible disclosure is fine other than that. If you disagree with this approach, then maybe we should have another thread to debate the policy

[sofar]

Please note that responsible disclosure in the industry often has 90+day blackout periods. Sometimes years. Nobody in the MT team wants that to be the case for Minetest, but 1 month really may not be sufficient time to deal with a major security escalation - especially if it's not understood yet by the people who need to fix it.

I think it is absolutely appropriate to make sure everyone understands the rules and limits, especially for something as critical as possible significant vulnerabilities. We don't do this to threaten people, but to make sure that everyone knows the rules are applied equally and fairly and in the best interest of everyone.

I would encourage everyone who has found a significant security issue to discuss a disclosure date schedule before announcing that they will publish working exploit code at a certain date. Talking it over with involved parties is a lot nicer than to throw out a unilateral schedule that doesn't incorporate input from those that haven't had the time to investigate it.

[shamwow420]

Developers who are truely interested in making Minetest more secure should spend some time on a few of the most popular servers and see. Some of the cheaters even brag about it if you pretend to be a hot girl. This is the easiest way to fix without putting the exploit in the wild. Get in there, lie, and be a detective. It seems some take offense and believe we are insulting the developers but in reality we want things safer because we love the game and hate to see it's demise. I quit months ago but still check the forums and watch the servers.minetest.net list to see how things are going. I would love to run my own server and enjoy the game again but things look the same to me. Yes posting the details of exploits before a patch is dangerous so I request discussion of a warning system so clients and hosts can use their own judgement to go offline and wait for a fix to prevent damages.

[micheal65536]

Please note that responsible disclosure in the industry often has 90+day blackout periods. Sometimes years. Nobody in the MT team wants that to be the case for Minetest, but 1 month really may not be sufficient time to deal with a major security escalation - especially if it's not understood yet by the people who need to fix it.

<!-- snip unrelated -->

I would encourage everyone who has found a significant security issue to discuss a disclosure date schedule before announcing that they will publish working exploit code at a certain date. Talking it over with involved parties is a lot nicer than to throw out a unilateral schedule that doesn't incorporate input from those that haven't had the time to investigate it.

In this case, I had already submitted a fix for the vulnerability and was planning to provide a technical explanation (in the form of, for example, "if your mod does A, then B situation may arise in C circumstances, and this could be exploited by an attacker if they do D and E, and to avoid this mod developers should do F and G or make sure that H and I can't occur", not actual exploit code) 1 month after a new version of the mod was released that included the fix. Of course, if a server owner had asked me to delay releasing the details for longer I would have done so (if reasonable, of course).