I've spent today closing off bugs on rt.cpan.org. It's been good, and I've enjoyed doing it, because people have been good enough to put patches in with their bug reports (and some bugs just magically fixed themselves with other patches).
However I got extremely worried about the number of bug reports on there that had XML in, where the XML didn't get displayed. This is a pretty sure sign of a cross site scripting vulnerability. So I tested it and sure enough, CSS bugs. Quite concerned I fired off a vulnerability assessment to cpan-questions@bestpractical.com. About 5 minutes later I got an email denying the bug, so I replied with a URL, and got an "Oops, that shouldn't happen" reply back, followed by another 5 mins later saying it was fixed. Apparently rt.cpan.org was running an untested beta of RT (tut, tut ;-) which they had never released to the public other than rt.cpan.org (which means they don't need to send an email to BugTraq telling everyone to upgrade urgently).
Kudos to them for being so responsive though. I'm really glad RT is there on cpan.org - it has made bug fixing LibXML much more scalable - previously I'd get bug reports to me personally, to the xml-libxml-devel mailing list, some on the gnome libxml list, and some on the perl-xml list. Now I just tell people if they don't put the bug report on RT it will get lost in the bit-bucket, and so they comply. Fantastic stuff.
