I'm the maintainer of a very popular open-source PHP package - PHPMailer. In December 2016, two critical remote code execution vulnerabilities were found in PHPMailer, affecting potentially tens of millions of sites. There's a lot that goes on behind a CVE number - I'd been involved in reporting some minor security issues in the past, but nothing of this magnitude, and never at the receiving end, so I found myself at the start of a steep learning curve and an emotional roller-coaster. This is the story.

Comments

Comments are closed.

Rated 5

Coen Dunnink at 14:28 on 1 Jul 2017

Nice story about a bug and the implecations

Rated 5

Anonymous at 14:31 on 1 Jul 2017

Very well presented talk about the various things you may have to deal with with a vuln like this. And a few nice useful pointers too.

Take my internet points for a job well done :)

I was hoping for an edutaining story and you delivered.

Well prepared, well presented talk.

Rated 5

Peter Meijer at 21:33 on 2 Jul 2017

One of the best talks at DPC17.

Good build-up of the story and excellent explaining what has happend.

Rated 4

Martijn at 09:18 on 3 Jul 2017

This was the second talk I attended from Marcus, and it did not disappoint.

The story itself was entertaining, the speaker gave a personal insight how the discovery of a security issue itself triggered a whole lot of work and investigation how to solve it.

Hopefully I won't encounter myself in a similar situation :)

Rated 5

Sjoerd Maessen at 15:13 on 4 Jul 2017

A very "honest" talk with some interesting points. I liked how you made the talk personal.