We use Joomla! for all our client websites and we love it. Last week a serious vulnerability was discovered, and reported. If you are interested in the development cycle and the process, here is the full story.

Essentially, the vulnerability allowed bad people to get access to Joomla! 1.5 sites as administrators. This was discovered on August 12 (US Time). The tested release to repair the vulnerability took 3 hours and 40 minutes from the time the development team were notified.

20-30 people worked on the process, many of those are volunteers. These are extraordinary statistics for a complex piece of software.

At Energetica as soon as we learned of the release we tested the upgrade, planned the implementations and had our client sites upgraded within 2 days. This includes testing components, templates and other site inclusions.

One of the things people often say about open source is: "If everyone can see the source, doesn't that mean they can find holes in it?"

The answer is "yes". But it is not the finding of the holes that you should be concerned about it is the fixing of them.

Anyone can find security flaws in open source is and anyone can help fix them. This means that the bad or good guys will find them, and good guys will fix them. With closed source, proprietary products, the bad guys find them and only a small group of good guys can fix them.

An important assessment tool in selecting open source products is how often there are security releases. It is a little counter-intuitive to think that a lot of security releases is a good thing. Does it indicate a flawed product? Maybe, but it also indicates an active and responsive development community, and a widely distributed product - these are good things for Open Source products.

 Any complex software system has many places for attack. Often vulnerabilities are discovered by the development team, sometimes they are reported by people who have the time to find them and report them (some people actually do this for fun!). Sometimes the bad guys get them first. The important thing is the response of the development community.