Meteor Developer Subscription


#1

https://www.meteor.com/services/subscription

In the event of a critical security update to the Meteor platform, MDG will alert your designated contacts in advance of a public disclosure.

Anyone else feels really uneasy about this?

Everything else about the offering seems great and I wish MDG good luck with, but this…


#2

The way I read it is that they’ll contact you so you can fix your site before they make a public announcement of the problem.


#3

What makes you feel uneasy about receiving notification of critical security updates in advance of public disclosure? Would you rather find out after the public announcement?

Because it’s (ostensibly) paid? If it weren’t an advantage of this program then it would simply be the public announcement.


#4

FWIW, when Meteor had a security problem several months ago (6?), they sent email to a big list of people that had production meteor apps. I’m not sure where they got the list, but I sure liked having the heads up and a patch to apply before the script kiddies were made aware of the problem.

I presume they have a challenge of where to find that list, maybe this formalizes that. Prefer that part is something you don’t have to pay for, but Meteor better start making money soon if we want them to be around.


#5

Yeah, I think that’s the point here. If instead they let anyone sign up for advance notice then it’s not advance notice, it’s public disclosure.


#6

First off, I could be totally wrong and that my concerns are unjustified.

That said, MDG is tagging this onto a whole range of other services that give me the impression that it won’t come cheap, mainly tagetting larger apps that have corporate backing.

Lets say you have a small production app that’s your livelyhood. You won’t be able to afford such a pricey service. Critical security issue occurs: MDG’s clients get informed, the public is withheld the information, you can bet your ass that in a quite tight-knit community as that Meteor has people talk amongst themselves, so the information will slowly spread out, creating those that are in the know and those that are unaware and therefor the possibility to be exploited.

If security issue alerts were sold as a separate service, that is within the affordable range of any production app, instead of tagged onto a bunch of other services, I’d likely be in favor. Else I think I’d prefer to take my chance with a public announcement as to know what to keep an eye out for.

Again, I could be wrong and convinced otherwise if there are good arguments.


#7

I think the problem here is clear: it incentivizes MDG to add new security holes to the framework, just so they can charge us to hear about them.

/s


#8

I agree. Haha, like the mafia keeping you safe–from them.

Why not then release the news to the Galaxy users after the support guys but before the public–in order of the highest priced hosting packages first of course.

Anyway, I’m teasing though I strongly feel there should be a better way. A security mailing list for example.


#9

I thought about this and while I realize the sarcasm consider that if someone finds a security hole, should they not sell it to MDG?

Consider a third party company with this business model:

  1. Pay individuals who find security holes
  2. Release the information to paid members
  3. Release the information to the public.

The community would probably frown on it. MDG should make money and more power to them–for providing superior products, in this case, the support of their knowledge.


#10

Ha ha. Best comment I’ve seen a while.


#11

Paying individuals who find security holes is actually a quite effective strategy. There’s a good reason why HackerOne exists (although I don’t believe Meteor currently pays - who knows, maybe they’ll start …).


#13

I was halfway done writing a post agreeing with you. But I changed my mind. The Info that there’s a critical fix coming itself doesn’t help anyone much. Of course you might be able to prepare better. But if this info is disclosed to the public something like 24 hours in advance, you should have enough time to prepare (clear you schedule or something).

I write this assuming Meteor follows this best practice:
Most projects announce they have found and fixed a security whole. In the post they include the exact date and time the fix will be released. That way devs/sysadmins can be ready to upgrade.

Is that true with Meteor?


#14

We’re not in disagreement necessary. My point is exactly that Meteor doesn’t pay for discovering exploits, although they may discover some on there own.

It’s a strange thing to profit off. Why not spend serious time discovering an exploit, then auctioning the discovery to highest bidder before going public? I don’t believe many developers do this because it’s not in the culture whereas iOS is exploited by jailbreaks perhaps for the sake of 3rd party app stores despite Apples much better funded security team. Certainly more exploits would be discovered if serious money was perceived in it.

To put it another way, why let another company profit off your discovery than your own? If the culture was that exploits were shared by the community for mutual interest sake, that’s great. Once that becomes a business within a community, the culture changes.

I’m sure MDG thought this through of course. It’s an interesting discussion on it own. Perhaps I’m really out of the loop, what other open source companies are doing this? Does FreeBSD offer advance notice of security issues based on the merit of cold hard cash? Should the police make more frequent scoutings to that rich block up hill?

The risk with exploits is that criminals will destroy your shit. Using that threat for income isn’t perfectly virtuous.


#15

Thanks for all the helpful feedback on this. The developer subscription announcement wasn’t meant to say we’d be doing anything different on security disclosure or holding back any critical fixes.

Here’s what’s going on: larger companies have been telling us they need a way to be certain they hear about any critical Meteor fixes. Their concern is that their developers may not be following the forums or announcement list closely, especially once they’ve deployed their project and moved on to other priorities, and they’re just more comfortable knowing that we have their back and they’ll get a call from us. This assurance is important for many of the companies considering Meteor, and I’m excited we can now offer it to them.

Our stance on security updates is unchanged. We believe in transparent disclosure of the issue, paired with an appropriate fix or workaround. We publish security-critical fixes as patch Meteor releases that are easy to upgrade to. (We take great pride in this kind of release management work.) Typically we also publish patch releases for multiple minor versions and code patches for anyone who for some reason can’t take a new release. In some cases we have delayed sharing a more detailed explanation of the underlying issue until the community has had time to make the necessary upgrades.


#16

Thanks for the clarifying and modifying the description.


Meteorinterviews // developer subscription // zero-day holes
#17

How much does the subscription service cost?
I can’t find that mentioned anywhere.


#18

Early, enterprise-targeted pricing is usually not communicated publicly. Maybe the idea is generally that if you’d have to ask to know whether it’s for you – then it’s not :wink:
(Not saying this specifically about MDG, they definitely don’t come across as too focused on enterprise, which I like – I’m just jovially making fun of early pricing communciation in general… ;))
(In this case I’m fairly certain that they may not be very clear about it themselves and are just testing the waters and if it’s really targeted at enterprise customers, then they know that those will have no problem with inquiring directly and signing up for the service pretty much regardless of what it costs, so long as it’s reasonably within what they’re used to paying for similar services.)