Let me start with questions related to responsible MySQL bugs
reporting that I'd like to be discussed and then present a
history behind them.
Assuming that you, my dear reader from MySQL Community, noted or found some simple sequence of SQL statements that, when executed by authenticated MySQL user explicitly having all the privileges needed to execute these statements, crashes some version of your favorite MySQL fork, please, answer the following questions:
- Do you consider this kind of a bug a "security vulnerability"?
- Should you share complete test case at any public site (MySQL bugs database, Facebook, your personal blog, any)?
- Should you share just a description of possible "attack vector", as Oracle does when they publish security bug fixes?
- Should you share just a stack trace or failed assertion information, without any details on how to get it?
- Should …