Today I learned about a podcast interview of Ed Finkler one of the members of the PHP Security Consortium. I heard through the first 30 minutes and was kinda bored because it was not really about PHP Security but about educating PHP developers, which is a subtopic of PHP Application Security which itself is a subtopic of PHP Security. I already wanted to switch it off when at around 34:32 they started talking about the Month of PHP Bugs.
Well knowing that Ed Finkler is one of the PHP Security Consortium it was absolutely no suprise that his response was lacking any substance and was only colored by anti Esser propaganda. I liked his comment that I am not worth being talked about. As usual for members of the PHP Security Consortium he wants to convince the audience that I am a bad person, with the argument that I throw the principles of responsible disclosure over board.
What he fails to mention is however that half of the security bugs were released without prior notification of the PHP Security Team, because a member of the Team that also happens to work for Zend openly claimed on the PHP Internals mailinglist that he does not know about any security hole in PHP, while I had disclosed about 20 holes the 2 weeks before. When a vendor denies the existance of security holes and lies into the face of his users, he has voided all options of nice treatment.
My advice to the members of the PHP Security Consortium is: You should use the time that you waste on interviewing each other or spreading anti Esser propaganda for actually contributing to PHP (Application) Security. Everything coming from you is nothing more than hot air and pure hatred against my person.