Vulnerability testing of SugarCRM

[pkruithofjr]

I have a potential customer that is concerned about security.

The asked for any documentation/reports that we could provide to show that the software has been tested for vulnerabilities.

Is this kind of information available to the community?

Thanks,

Piet

[RandyLee]

We tested sugar by several security testing tools, e.g. chorizo, paros. But I am afraid I can't show you the report.

[roblaus]

And why can't you show the report? Because it's so negative? Can you at least tell the result?

Because I am getting the same questions and if I show your post to my prospects I will probably sell. But not Sugar.

[RandyLee]

Sugar pass these security tools before they are released, we solved the security problem detected by them for every release, even patches. As we know, everything is improving, including the security testing tools...

[SugarDev.net]

Why are solved security bugs not made public?

[RandyLee]

All of them are filed in Bug tracker, if you want to review, you can search your problem in Bug tracker system.

[eggsurplus]

That is just a great stance. Sounds like a very proprietary and closed approach to security. I hope that my systems aren't found by someone who knows about any vulnerability while I don't due to Sugar's non-disclosure policy.

[pkruithofjr]

Honestly, I think it makes sense to publish these kinds of reports in the Sugar community. It's a bit inefficient to ask your various users, resellers or developers to generate this kind of information on their own.

It also does a great deal to address any concerns with open source from our customers.

Piet

[andopes]

The concept of Community and Open Source is to share knowledge to improve some open source application, just like SugarCRM.
So if this report would be a public one, community users would help Sugar fixing them.
I believe Sugar should consider a policy like that.

Best regards

[SugarDev.net]

All of them are filed in Bug tracker, if you want to review, you can search your problem in Bug tracker system.

http://www.sugarcrm.com/crm/?option=...&button=Search

This query returns quite a lot of security issues which are unaccessible by me, even though they are all closed (fixed). This makes it very hard for me to asses the dangers a client is having with his particular version. I also believe this is called security through obscurity.