Re: [fossil-dev] XSS vulnerability alleged

Fri, 15 Jan 2016 12:16:06 -0800 

On 1/15/2016 4:46 AM, Richard Hipp wrote:

I received email alerting me to the following:
https://www.xssposed.org/incidents/124372/

My assessment is that this is a scam or shakedown:  "Nice website you
have there.  Send us money if you want to know about a vulnerability.
If you don't, we'll tell a bunch of script kiddies how to break it."

But perhaps I am misjudging the situation.  Anybody else have any thoughts?
They (xssposed.org) seem to have a mixed reputation from what I can tell. That is, site owners are uncomfortable about them for exactly the reasons you state. I haven't located any commentary about them specifically from the experts I personally pay attention to, but the general chatter seems to indicate that although they come off as a bit of a shakedown operation, that really isn't their goal.
They've had coverage from some fairly high profile legitimate media, who seem to have taken the non-profit at their word that their goal is to verify that reports are real and provide a means of contact, along with eventual public disclosure.
A large segment of the security community believes that public disclosure of vulnerabilities is good, at least as long as it is done "responsibly", which is usually taken to mean only after the site owner has been given a chance to patch or repair. That said, I haven't found them mentioned at all in any of the easy to find discussions of bug bounty programs and responsible disclosure advocates.
This answer at Information Security has a trove of interesting resources related to disclosure, springing off essentially the same question: http://security.stackexchange.com/q/19436/3444
The user profile of the specific user does read like a hacker going (somewhat?) legit who is dumping his trove of known issues, and using xssposed as the escrow agent for the information.
I don't think you are risking much if you take it at face value and send a politely noncommittal email of the "thanks for your help, what is the problem" variety.
Personally, if I knew more about XSS I'd take it as a bit of a challenge to find the issue knowing only that one was found... 

--
Ross Berteig                               r...@cheshireeng.com
Cheshire Engineering Corp.           http://www.CheshireEng.com/

_______________________________________________
fossil-dev mailing list
fossil-dev@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev

Reply via email to