| Mitch Sellers wrote
Joe,
I'm not sure if it helps or not, but I've heard through a few grapevines today that Michael Washington might have been contacted....
|
I had assumed that PowerDNN gave the information to security@dotnetnuke.com and the Core hadn't responded yet. When there is an exploit normal Core members get the details when the rest of the community gets the details because only the people working on the problem "need to know".
I was contacted by a PowerDNN representative when I asked for the patch fix for free. I was told to give FTP access to my site. I then found out the the Core was not told about the patch.
Then my "Head exploded". I then sent a email to PowerDNN telling them that I thought it was wrong to sell the patch.
So my mistake was asking for the patch for free. I should not have done that. I should have sent PowerDNN an email telling them that it is wrong to sell a security patch for Open Source software under any circumstances. The source is "open" so that we can all "protect each other".
PowerDNN cannot call it a "service" to "patch it for us" because they don't want to "tell us what the exploit is".
How about this, when the next bug comes out, how about I charge for it?