Where do you submit security related issues?

[eluser]alexaholic[/eluser]
The bug tracker doesn't seem to be a good place since anyone can view it...

[eluser]Benito[/eluser]
If that wouldn't be so, then it would kill the point of being open source

[eluser]alexaholic[/eluser]
Yeah, but we're talking about security here. I believe CI developers should know about it and provide a patch before someone turns your server into a zombie.

[eluser]n0xie[/eluser]
The advantage of open source is several eyes on the same codebase. Just show us the exploit and I'm sure Ellislabs will take a look at it.

[eluser]Phil Sturgeon[/eluser]
If you have discovered a security issue that is THAT dangerous to post online, email or private message one of the EllisLab guys a patch file or a description of the problem.

I'm interested to know what could be that insecure in CI, I've been using it a long time without anything getting hacked and none of the other dev's I know have had issues.

[eluser]Benito[/eluser]
I have a strong feeling that this is rather a programmer's security flaw rather than the frameworks.
But who knows. Try Derek Allard

[eluser]Derek Allard[/eluser]
Yes please contact us regarding security privately. The bug tracker isn't suitable for security related stuff. You can absolutely feel free to contact any or all of the CI team privately with security stuff. Here's a quick list for you (as of June 2010):

Derek Jones (derek [dot] jones [at] ellislab [dot] com)
Derek Allard (derek [dot] allard [at] ellislab [dot] com)
Pascal Kriete (pascal [dot] kriete [at] ellislab [dot] com)
Greg Aker (greg [dot] aker [at] ellislab [dot] com)

You'll find we're very responsive to potential security issues.

Thanks!
Derek Allard
Technology Architect, EllisLab

[eluser]alexaholic[/eluser]
I sent you an email and I'm waiting for a response.

[eluser]Derek Allard[/eluser]
Just to close the loop on this, I wanted to publicly thank alexaholic for working with us on this. The end result was http://codeigniter.com/news/codeigniter_...ity_patch/