removing version identifying attribution data

[Robin Wood <dninja () gmail com>]

With a lot of open source web apps there is usually some kind of file
or comment block in the code that identifies the author and gives
attribution. The problem with most of these is that they end up
leaking information about the version of the app being used.

I'm very keen on keeping attribution in place and wouldn't want to
release software without giving due credit but at the same time I'd
rather not expose my clients to data leakage which I could easily
control by removing all, or at least part, of the attribution.

The three general options I can see are:
* leave as is and if there is a vuln found hope you can patch before
the bad guys scan and find your site - battle potential google dorks
* modify the included file or comment block to cut the information
down to a minimum - either a lot of manual work or search and replace
job depending on how consistent the info is
* remove all attribution but put in place a file offering full
disclosure to anyone who asks for the information - doesn't credit the
authors directly which would annoy me if it were my code

What do others do about this?

Robin



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------