[WEB SECURITY] RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google

Mike Duncan security at randomtask.net
Fri Jul 7 10:41:57 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin O'Neal wrote:
> 
> I personally also believe in full disclosure, but it has to be delivered
> in a responsible fashion.  Dispatching vulnerabilities to a public list
> without even attempting to contact the vendor is clearly not in the best
> interest of the vendors nor the great majority of the user base.

Actually, I think this is the point the author was trying to make. We
should not be thinking about the interests of a company who has ignored
issues in the past. The "great majority of the user base" will listen to
the company -- not us -- anyways. They are not on this list(s) and thus
will not see what we see.

We are not making the Google website better here, rather we are trying
to alert people of a possible issue with the website that they should be
aware of and learn from this issue.

The author did the right thing here by posting examples in the past of
Google ignoring possible issues with their website. I think the author
actually went above and beyond the "requirements" of the list(s) and its
reader base as well.

And the debate continues...

Mike Duncan
security at randomtask.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFErnK1OSRBehttuMoRAu2KAKDCWdH1z3RuZ4stX0PeQY5ely3KiQCfaR8b
y4pY794d1xgNW6P1tsIdqtk=
=a/SO
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list