November 24, 2023 at 10:40AM
The owner of OpenCart, an e-commerce store management system, has responded hostilely to a security researcher who disclosed a vulnerability in the product. The researcher, Mattia Brollo, tried to contact OpenCart for nearly a month through various channels before receiving dismissive and offensive responses from the owner, Daniel Kerr. OpenCart eventually recognized the vulnerability, which was given a high severity rating. Despite the controversy, OpenCart has a relatively small market share compared to its competitors.
Key takeaways from the meeting notes:
1. The owner of OpenCart, an e-commerce store management system, responded defensively and hostilely to a security researcher who disclosed a vulnerability in the product. The researcher, Mattia Brollo, discovered a static code injection vulnerability and tried to contact OpenCart for a month before resorting to public disclosure.
2. Daniel Kerr, the owner of OpenCart, dismissed and offended Brollo in response to his vulnerability report, calling it a “non vulnerability.” However, the National Vulnerability Database recognized the issue as CVE-2023-47444, rating it near-critical with a severity score of 8.8 on the CVSS 3 scale.
3. Brollo attempted to reach out to OpenCart administrators again via the forums, but Kerr responded with profanity and derogatory language. Kerr then marked Brollo’s pull request as spam and closed it.
4. Eventually, Kerr merged Brollo’s fix into OpenCart’s master branch, but the incident revealed a concerning pattern of dismissive behavior towards security issues in the past.
5. This incident is reminiscent of a similar case in 2012 when OpenCart ignored warnings about insecure password-hashing practices. Kerr’s responses back then showed a lack of understanding and dismissive attitude towards security concerns.
6. OpenCart faces competition from platforms like WooCommerce, Shopify, and Squarespace, which have a larger market share according to Statista’s data.