As long as there are NO RULES i.e. standards which companies MUST adhere to in order to ensure an application is built for suitability for purpose and a basic set of security principles the current state of software development will continue. There will be those large software vendors which will bend to pressure from large corporations but without a LEGAL framework the huge numbers of small to middle size applications vendors who would prefer smoke and mirrors will continue with that theme since it is zero cost.
-----Original Message----- From: tcp fin [mailto:[EMAIL PROTECTED] Sent: 11 July 2006 05:30 To: Martin O'Neal; [EMAIL PROTECTED]; RSnake Cc: [EMAIL PROTECTED]; [email protected]; [email protected]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google Hey Martin , I agree with u partly but there are vendors out there in the market who has Dont know DOnt care attitude. If thats the case after idetifying and exploiting the vulnerability in the same vendor product , I personally would not like to waste my and your time with vendor who did not give us fav response before. I would refrain from taking names but I have seen that happening in the past and still some of those vul are existing in those products. However no one can deny Full Disclosure with responsibility the responsible Disclosure !!! Regards, TCP-FIN --- Martin O'Neal <[EMAIL PROTECTED]> wrote: > > > my opinion is that full disclosure is not for > vendors .. > > it's for users. full disclosure is for us to know > how to > > react on certain threads. > > Which is just fine if you are technically competent > to understand the > threat, and there is also a valid mitigating > strategy you can employ > immediately. For the vast majority of situations > though, this just > isn't the case. The users are not technically > competent enough to > understand the true threat posed by an entry on a > news group (which are > generally hopelessly incomplete and/or factually > inaccurate) and then > this is coupled with a vulnerable product that may > be essential, > difficult to protect, and a stable official fix that > may be weeks or > months away from delivery. > > I personally also believe in full disclosure, but it > has to be delivered > in a responsible fashion. Dispatching > vulnerabilities to a public list > without even attempting to contact the vendor is > clearly not in the best > interest of the vendors nor the great majority of > the user base. > > Martin... > > > > ---------------------------------------------------------------------- > CONFIDENTIALITY: This e-mail and any files > transmitted with it are > confidential and intended solely for the use of the > recipient(s) only. > Any review, retransmission, dissemination or other > use of, or taking > any action in reliance upon this information by > persons or entities > other than the intended recipient(s) is prohibited. > If you have > received this e-mail in error please notify the > sender immediately > and destroy the material whether stored on a > computer or otherwise. > ---------------------------------------------------------------------- > DISCLAIMER: Any views or opinions presented within > this e-mail are > solely those of the author and do not necessarily > represent those > of Corsaire Limited, unless otherwise specifically > stated. > ---------------------------------------------------------------------- > Corsaire Limited, 3 Tannery House, Tannery Lane, > Send, Surrey, GU23 7EF > Telephone: +44(0)1483-226000 > Email:[EMAIL PROTECTED] > > > ------------------------------------------------------------------------ - > Sponsored by: Watchfire > > Securing a web application goes far beyond testing > the application using > manual processes, or by using automated systems and > tools. Watchfire's > "Web Application Security: Automated Scanning or > Manual Penetration > Testing?" whitepaper examines a few vulnerability > detection methods - > specifically comparing and contrasting manual > penetration testing with > automated scanning tools. Download it today! > > https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm > ------------------------------------------------------------------------ -- > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ - Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr ------------------------------------------------------------------------ -- This e-mail is intended for the named recipient(s). It and any attachments may contain privileged and/or confidential information. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient. If you are not one of the intended recipients, or this email is received in error, please immediately either notify the sender or contact OAG Worldwide Limited on +44 (0) 1582 600111 quoting the name of the sender and the email address to which it has been sent and then delete it and any attachment(s). While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Limited and its affiliate companies cannot guarantee that attachments do not contain any viruses or are compatible with your systems, and does not accept liability in respect of viruses or computer problems experienced. Neither OAG Worldwide Limited nor the sender accepts any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. OAG Worldwide Limited may monitor or record outgoing and incoming e-mail to secure effective system operation and for other lawful purposes. By replying to this email you give your consent to such monitoring. Thank you. OAG Worldwide Limited is a company registered in England and Wales (registered number 4226716), with its registered office at Church Street, Dunstable, Bedfordshire, LU5 4HB, United Kingdom. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
