There have been recent questions over why devlopers should inform the VEL team about exploits they have fixed before the velteam get to know about them. This includes when a developer updates their listing on the JED and neglects to mention the update is due to a coding weakness.

Developers have several responsibilities when it comes to insecure code:-


1) Fix the code promptly and make security release
2) Make a security release announcement that is clearly identifiable as such, it should say it clearly among the first few lines of text, not buried near the bottom of the page
3) Inform the VEL

This applies whether the vulnerability is self-discovered or not.

We have to leave it up to the developers discretion exactly how much information they give publicly because they will (hopefully) understand the details of what the vulnerability is, but there should be some basic instructions on how to fix the problem and some basic description of the vulnerability (eg sql injection etc). Plus they should give details to the VEL who will never give full details or instructions how to use an exploit.

When it comes to telling users how to fix the problem, just telling users to update to the latest release is always enough. There is a real problem with updating commercial extensions for many sites, they often get locked into commercial templates that may not be compatible with new releases.

Therefore we ask all joomla developers to inform via the update form when they have a security release

We care about Joomla users: you should too.