The LedgerSMB project started in a similar shitstorm. I found an ability to forge credentials in SQL-Ledger. I submitted it. I went back and tried a month later on a new version (no communication from the SL author) and it was a little harder but not too hard. I exploited again, sent another email, was told to bug off.....
I tried to get the issue fixed for six months. I finally gave up and forked. When we forked we issued a security advisory publicly and stated we would offer a full disclosure soon. That's when the shitstorm started in earnest. I was accused of fearmongering. I was told I didn't understand security, that the software was plenty secure, and many choice lines that out of professionalism I will refrain from reposting to this forum.
Dozens of emails.
The end result was that Dieter fixed SQL-Ledger shortly after the fork, because those who stayed behind made him. It would not have been fixed without the fork.
The LedgerSMB project started in a similar shitstorm. I found an ability to forge credentials in SQL-Ledger. I submitted it. I went back and tried a month later on a new version (no communication from the SL author) and it was a little harder but not too hard. I exploited again, sent another email, was told to bug off.....
I tried to get the issue fixed for six months. I finally gave up and forked. When we forked we issued a security advisory publicly and stated we would offer a full disclosure soon. That's when the shitstorm started in earnest. I was accused of fearmongering. I was told I didn't understand security, that the software was plenty secure, and many choice lines that out of professionalism I will refrain from reposting to this forum.
Dozens of emails.
The end result was that Dieter fixed SQL-Ledger shortly after the fork, because those who stayed behind made him. It would not have been fixed without the fork.
Sometimes you have to be confrontational.