How long should I wait to publicize a vulnerability in a free/open source project?

Question

In my review of free package distributed under the Apache license I found a number of bugs ranging from the obscure code issues to security holes.

I've taken the following steps:

• I notified the project lead through private email about this two weeks ago, and other than an acknowledgment of said emails, I haven't seen any internal or external activity regarding the issues I raised.
• I've followed the policies laid out by SANS and Wiretrip.

Questions

• Should I follow up with another email?
• If no response, should I go ahead and post these issues publicly?
• Does anyone who has been through this (from either side) have any good suggestions for how to handle this?

Answer 1

Can't argue with recommendations from SANS, despite developer size. No matter the size of a team, 30 days is plenty of time to address most issues. Since they are being silent, there is a chance that you're not the first to find the issue.

Answer 2

Maybe there is no active community. Maybe they just don't care. Maybe, oh my, they put the security flaws in there on purpose. If you question is, how long to wait before going public, then, it sure seems that you've given them every reasonable chance to respond to you. So if you think going public serves the public, go public.

Answer 3

Truthfully you have no obligation either way if:

1. You found the problems under a legitimate installation of the software (following all ToS/Fair Usage Guidelines, etc)
2. You did not modify or compromise the security of the system in any known way by purposefully setting the system up in such a way as to be insecure (i.e. purposefully uninstalling security measures that it has)
3. You cannot conceivably be considered a rival for financial gain in the same market space.

If this product is purely open source and under a free license, the last is obviously true, leaving only the first two to be considered (if it has commercial licensing this may be a different matter).

You can openly document any issues you have with software as long as you provide that they are your opinion, and that you back said issues up with proof (preferably verified by a third-party) in some form (blog, mailing list, etc).

If you are a security researcher specifically assigned to research the product, or intending to publish your findings as part of your corporate reporting, your legal department will have additional rules that you need to follow (consult with them).

I believe the dilema is purely ethical and I would like to quote one part of your post:

I do have somewhat selfish reasons for saying "look how clever I am! I found these problems in the code!" but they are tempered by wanting to give the developers time to fix the code and I know well that ego and pride can be involved in these matters.

If you consider your ethical reasoning to be fair then you should follow whatever common sense you find most reasonable (I believe SANS to be very fair in this case).