EDIT: Looks like they did responsibly disclose - that's nice. I missed the single line at the bottom of the article. I'd prefer if an article like this opened with a paragraph about their conversation with the maintainers, and how all vulnerabilities have already been patched, etc. But I guess that's a personal preference.

===

Did they privately disclose these vulnerabilities to the developers and give them a reasonable amount of time to fix them, before they announced them to the world?

Because, and I'm going to highlight, if someone exploits a CVE in an EMR, they can wreck havoc on actual real patient data, and can endanger health and lives.

https://github.com/openemr/openemr/security

"Option 1 (preferred) : Report the vulnerability at this link. See Privately reporting a security vulnerability for instruction on doing this."

Did they do that?

Because if they didn't responsibly disclose, this sure seems like a hit job performed by someone who'd rather EMR software be closed source.

▲

1970-01-01 2 days ago | parent [-]

RTFA, Matt. Your answer is at the end of it.

	▲	MattCruikshank 2 days ago \| parent [-]
		Have you heard of the term, "bury the lede"? I'd love to see an opening paragraph like this one: "All discovered vulnerabilities have already been patched. We waited to publish this article until they were. Release 8.0.3 addresses all of them, and we advise updating as soon as possible. We waited until 95% of installs had already updated to that version."