- Case Number: a20110413.1
- Status: Closed
- Respondents: CAcert
Case Manager: MartinGummi
- Date of arbitration start: 2011-04-13
- Date of ruling: 2011-04-13
- Case closed: 2011-04-14
- Complaint: Adhoc SQL query
- Relief: TBD
- 2011-04-13 (issue.c.o) case [s20110412.140]
- 2011-04-13 (A): added to wiki, request for CM / A
- 2011-04-13 (A): I'll take care about this case as (A)
- 2011-04-13 (CM): I'll take care about this case as (CM)
- 2011-04-13 (A): sending initmailing to (C) with CCA/DRP acceptance request
- 2011-04-13 (C): accepts CCA/DRP under this arbitration
- 2011-04-13 (A): contacting SAs for review of sql query deployed by (SA1)
- 2011-04-13 (SA2): confirmation by 2nd (SA)
Original Dispute, Discovery (Private Part)
Link to Arbitration case a20110413.1 (Private Part)
EOT Private Part
This case is based on bug #637
Software-Assessment Project Team at meeting 2011-04-12 decided to first check the count of effected accounts
- proposed sql query regarding an allready known password discovers only the account of users who used an allready known weak password that is allready published on the main website
- no further infos will be discovered with the result set
- logical security checks are not yet well covered by the SP - eg weak passwords used. It does not fall in the Critical team role, nor the Support-Engineer role, nor the Software-Assessors role.
- Members identified a potential logical security hole, but no team is responsible by SP definitions.
Regular review over system settings is subject to another running arbitration case a20110221.1 but this case covers only flag settings. A recuring logical system check over the database content (eg used weak passwords) is not yet defined.
- In order to handle the reported bug# and to move forward with this case, I hereby order (Critical Team) to execute the proposed SQL query that was checked and confirmed by 2 Software-Assessors.
The result set to be send to the Arbitrator/Case Manager and the nominated known Software-Assessors, to be presented within the next Software-Assessment project team meeting, but not published on any website nor within any minutes before a fix has been applied under bug #637 onto the critical system.
- The potental allowed recipients group includes: Crticical team, Software-Assessors, Software-Assessment project team, Support-Engineers, Board members, Arbitrators
- A disclosure of the result set outside the defined group of recipients and before a fix is implemented onto the critical system is forbidden under fine of 150 Euro
- 2011-04-13 (A): sending ruling and exec order to (Critical Team), (C)
- 2011-04-13 (Critical Admin): exec report to (C), (CM), (A)
- 2011-04-13 (A): following the ruling, forwarding exec report to nominated (SA)'s, (CM) with warning on closed groups distribution and proposed fine.
- 2011-04-13 (A): Exec report to (C). Case closed.