I'm sure we'll be told of pretty soon for this topic as its not on-topic, but before it all ends I'd like to reply to your message ;-))
> And do you think it was responsible to make such information > public? I > would have only done so AFTER giving him enough time to plug-up the > security hole. Yes and No If I am also notified of it then YES, if I am not notified of it then NO. If he does not exploit the hole, then YES, if he exploits the hole then NO. It is every developers responsibility to have a secure as possible website, and when notified of holes its their responsibility to fix them. Because after all most websites deal with private customer data (in most cases). This is an interesting subject that I also touched on the CFAUSSIE list a couple of days ago (and got the cold shoulder - again) there should be a group of people (trustworthy people, friendly people, developers, designers etc.) who get together on this and test these vulnerabilities for others who ask for it. <sad neglected voice>But nobody's interested </sad neglected voice> If you'd be dealing with a bank surely you'd like any cracker to let them know about any found vulnerabilities? And if posted publicly then the owner has to do something about it, he can't keep ignoring it. I know it's scary, but its something that should be dealed with in the open. IMHO Now, who just crashed my computer, did someone crack it? > I'm sure you wouldn't appreciate your security vulnerabilities (yes, > everyone has them, no matter how obscure) being published in a public > forum, so why do the same to him? > > Justin French Taco Fleur Blog http://www.tacofleur.com/index/blog/ Methodology http://www.tacofleur.com/index/methodology/ 0421 851 786 Tell me and I will forget Show me and I will remember Teach me and I will learn > -----Original Message----- > From: Justin French [mailto:[EMAIL PROTECTED] > Sent: Friday, 23 January 2004 11:22 AM > To: [EMAIL PROTECTED] > Subject: Re: [WSG] Since you're a Taco fan... [Virus checkedAU] > > > > On Friday, January 23, 2004, at 11:53 AM, [EMAIL PROTECTED] > wrote: > > > This email is to be read subject to the disclaimer below. > > > > His photo gallery has a nice cross-site scripting vulnerability (I > > emailed > > him privately about it). But here's the test URL I made, just for a > > laugh... > > And do you think it was responsible to make such information > public? I > would have only done so AFTER giving him enough time to plug-up the > security hole. > > I'm sure you wouldn't appreciate your security vulnerabilities (yes, > everyone has them, no matter how obscure) being published in a public > forum, so why do the same to him? > > Justin French > > ***************************************************** > The discussion list for http://webstandardsgroup.org/ > ***************************************************** > ***************************************************** The discussion list for http://webstandardsgroup.org/ *****************************************************
