Stefan Esser has revealed today in a SecurityFocus interview that he plans to start the Month of PHP Bugs in March. If you’re impatient you can skip straight to page 3, though I think Federico Biancuzzi’s interviews are always worth reading in their entirety.

The point? Don’t piss off the guy with the technical skills to find your bugs if he’s trying to help you. I understand it’s not always easy to deal with the egos. But hey, if no one else wants the free QA, I’ll take it.

  • Aviram

    “As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. [...] a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed.”

    Makes a good case for full disclosure…

  • Blue Boar

    Yep. I’m guessing that he will be releasing fixes to go with his bugs.

  • 10gigawatz

    Stefan should take his head out of his ass, and stop being such an ass, if someone doesn’t act nicely to you – you go away, not take a gun out and shot his family and everyone he cares about.

  • Blue Boar

    And someone should have told Theo to play nice with the NetBSD guys.

    Being an ass doesn’t always mean you’re wrong.

  • 09gigawatz

    I really cannot understand this sudden hatred against Stefan, calling him an ass, a child or whatever.

    Stefan has disclosed for years vulnerabilities in PHP. And now after he stepped back from their security team, which I can understand he did another audit and found a bunch of bugs and will release them.

    So actually nothing has changed, he does what he always did, with the difference, that suddenly he is called a bad guy.

  • sunshine

    Let them call him a bad guy then. We didn’t, BB was just being sarcastic.

    Calling him names won’t stop him doing the good work he has been doing.