Community mailing list archives
Re: Security - Odoo enterprise - DB accessby
On Sat, Apr 16, 2016 at 11:10 PM, Fabien Pinckaers <email@example.com> wrote:
we send them an email, along with a patch a few weeks before we disclosed the security breach publicly.
Why do you keep security issues for weeks hidden from the public? I think it is not a good way to increase public trust in customers when you leave Odoo websites open for serious security issues even you have already a patch available.
To increase TRUST in Odoo it would be much much better to provide the patch asap for everyone and of course publish the security issue immediately after it has been discovered, so that ALL users are warned, especially also those who are using not the Enterprise version.
Even much better would be to publish and report security issues of Odoo also to secunia who is providing a great database with security advisories for everyone for free.
Security especially of an ERP system which holds hundreds, thousands perhaps even millions of customers data and their customers data should be FIRST priority and treated as this. If Odoo and its community and Team which provides the software is such a great and fast working and patching team than they really can present their fast way of patching things also publicly. Right now it looks more like the typical Microsoft way, which means that security issues get not announced publicly for weeks, months perhaps even years until a patch is available and as you wrote even than the public gets excluded for weeks from that patch which is horrible in terms of security for an enterprise and Open Source ERP System like Odoo / OpenERP is.
A last question: How many issues have not been announced until now as your team wasn't able to provide a patch until now? Is Odoo Safe or Vulnerable?
Please disclose ALL security issuses of Odoo asap so that all in the community could help to get things patched and secure again. Thanks