The Vulnerable Extensions List Team have updated the procedures for the Vulnerable Extensions List and thought we would share how we do it to prevent some common and increasing miss-understandings.
An exploit is released
* We get/find the report
This can be by any of the major security services, by PM to the Vulnerable Extensions team or direct to the JED.
* We then locate all references to the exploit
This can be from exploit-db, secunia, xforce etc
* If its proven or very likely and is not greetz spam
* We then see if its listed on the Joomla Extension Directory (JED)
If its JED listed we add it to a "VELJED" working list for the JED Team to contact the developers and un-publish it from the JED.
* We then add it to the VEL
and, where we can, we post in the security forum & via twitter with the #joomla or #jos tags.
When an extension report is "updated" either by being resolved, upgraded or retired, we will mark this on the VEL if we are told. This applies to JED and non-JED listed items.
We don't catch all the reports, and cant be responsible for any issues occurring from the reports, contact the developer if you have any questions.
Our growing slogan in the VEL team is "we dont fix, we just report". We also will NOT link to any site in the VEL where you can download the exploit.
Joomla and Xforce
We are also now working closely with IBM /xforce in telling them when developers have updated their extensions and have republished them in the JED (I am sure its really a developers task) as it counts as a black mark against joomla in their counts for unresolved exploits.
In February we will be reformatting our RSS feed. The url will still be the same, except the new version will be a more recogniseable rss feed structure
<title> Item1 </title>
<title> Items 2 </title>
A final note to developers.
We only pass out information that is already out there, we will not remove anything from the list, we will mark it as resolved or updated.
If your entry is on their and you "fixed" it ages ago, tell us please.
Please solve the issues and:
* If JED listed
Attach the new zip file at your actual JED listing.
Change the extension version at JED listing.
Contact the JED by mail back with a notice and ask them to republish
* If not JED listed.
Inform us by PM of the link to your resolution notice on your website.
The VEL team consists of mandville, lafrance, PhilD, FW116, and JeffChannell