[WEB SECURITY] XSS Vulnerability Notification and Disclosure
webappsec at cjmarsh.com
webappsec at cjmarsh.com
Tue Aug 9 18:52:10 EDT 2005
All
Firstly, being new to the list may I offer my salutations.
Secondly, I discovered an XSS vulnerability in a website that I have a paid
subscription to. I emailed the website owners at their published email
address, detailing the problem from a technical angle and also exlaining the
practical impact on their users (gaining of email address/password pair for
website user accounts). I received no response for a week. I then sent a
follow up email giving more detail. I have been unfailingly polite.
If the website owners do not fix this problem, my initial reaction is to
post a neutrally-toned vulnerability disclosure on their website forums.
This is not a punitive measure; my attitude is that if the website owners
refuse to fix a well known vulnerability then the user base should have
detailed instructions on how to avoid falling victim.
May I solicit opinions on the above and how I should proceed?
Many thanks in advance!
Regards
Chris Marsh
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.5/67 - Release Date: 09/08/2005
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
More information about the websecurity
mailing list