“Sixteen million downloads over the lifetime of those projects is a pretty decent install base,” Metasploit's Tod Beardsley said. “Coupled with the adventures I had in vulnerability disclosure with these guys indicated to me that they are not very well-practiced at receiving vulnerability notification, which makes me think we may have been the first or among the first that have ever contacted them about security vulnerabilities.”
Some of the software projects listed here did not acknowledge these were even security issues; five of the seven have not been patched, for example.
“In Moodle’s case, they don’t believe it’s a bug, which is fine. They can believe that. I talked to them, and they have reasonable arguments why it’s not a bug and normal. But in the end, pen testers don’t care if a vendor calls it a bug or not. If they can get a shell off of it, it’s good for the bad guys and it’s good for penetration testers.”