I say, "... hey listen! your house entrance door latch isn't strong enough.. there are only 4 screws instead 16, which is the practice.. you have a risk of some one easily barging into your house ...". For some reason you don't respond.. I publish it in the local news paper that ".. Mr. X's door latch is week and any one can break it easily ..." Do you think it is ethical??? I seriously think not.
More over, going by my personal experience, I think 5 out of 10 websites[1] would be vulnerable to some kind of security issue, like running vulnerable versions of the web server, improper input validation etc, which are just specific them and their clients. Would would be the interest of general public on such issues? I don't think any one from those sites would be part of bugtraq or FD as you mentioned that they are not vendors. Your publication will only increase the magnitude of their risk and doesn't do good to any one. If you have time, try to provide them with the required knowledge or fix. If you cant, just leave them at their fate and move on.. Raghu [1] I dont have any data to support this.. If you dont agree, please do so. You have every right to :) On 10/6/05, offtopic <[EMAIL PROTECTED]> wrote: > Hi List. > I need your opinion. > Recently I found multiply vulnerabilities in several sites. some sites behold > to security-related firms but not software vendors. I'm trying to contact > that companies under rfpolicy several times but don't receive any response on > receive something like "what injection your talking about?". > > I want to know - is it "ethical" to use standard vulnerability disclosure > policies to public websites? Which fird-party can't be user as coordinator, > like CERT/CC? > Or in other worlds - who should care about Web-sites security? > Thank you. > > (c)oded by [EMAIL PROTECTED] > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
