Yet again the Joomla project teams have dropped the ball regarding a cross site scripting exploit. Instead of dealing with the apparent zero-day nature of the hole, they have used their political stoush to censor and limit discussion, even through the exploit is already in the wild.
In order to have a secure product, 3 specific rules are understood. These would be considered tips when designing and developing any internet based product. They are a mantra that should be drilled into any developer or designer.
No product is 100% secure
Due diligence in project management means you have to respond to zero-day exploits on the zero-day. Not a week or two later. Not a month later. Now.
Every time you find a security issue in your product, your customers have to know. Security through obscurity (in this case, obscurity being censorship) doesn't help your clients feel safe and secure.
Anything less and your clientele is not safe with your business. Sure, responsible disclosure must happen, but the patches have to be delivered immediately for zero day XSS attacks. I've dealt with CMS projects where the lead time for patch updates to XSS attacks have been between a month and 3 months. Educating their development staff, as well as their marketing teams, as to the nature of these holes is something that has to be done, otherwise their own clients suffer the consequences.
