ShadMOrdre wrote:This discussion is good and all...it should keep going. However, I'd like to point out some glaring issues.
1. If you find a problem, report it. Give the developer time to respond. In an opensource game, this could mean up to a year. Patience. If the issue is so pressing, either work towards fixing the problem, or quit using the product/software. Crying about a problem does nothing. Threatening to broadcasting a problem, for whatever reason, to force an issue is never the right way. As a developer, I will tell you this. Your threats will go ignored. Issues might get addressed, if I as the developer, deem the issue important enough to address. Your expectation of anything other than the above stated behavior is unrealistic. You would act the same way if you were in those shoes.
2. If you build it, they will hack it. Does this really need expounding upon?
3. Expecting an opensource game engine to provide any better security than your local run of the mill windows OS, with market cap to correct EVERY issue, well, again, totally unrealistic.
4. Security issues are always a delicate matter, and should be treated with the dignity and respect they deserve. Broadcasting security issues, regardless of the motivation, is only intended to do harm. There is no other explanation or excuse.
5. Discretion is advised. Otherwise, why bother posting the issue and waiting for a response. Just broadcast the security hole and let the harm fly.
AND MOST IMPORTANTLY....
Get involved with the nuts and bolts of coding. You cannot honestly expect anyone else to fix what ever you find, if you are not willing to at least help yourself. Help those who are trying to help you.
Up to a point, just because it's free as in free beer doesn't means they SHOULD take so long for a security flaw to be resolved/addressed. More than likely a "hold" of 90 or so days is reasonable depending on severely, complications and/or other reasonable means.
After that why give them the slack? One way or another you need to give some people a "push" to fix a outstanding issue if internal means fails for x amount of time (and not like a year in most cases).