[WEB SECURITY] RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google

tcp fin inet_inaddr at yahoo.com
Tue Jul 11 00:29:38 EDT 2006

Hey Martin , 
I agree with u partly but there are vendors out there
in the market who has Dont know DOnt care attitude. If
thats the case after idetifying and exploiting the
vulnerability in the same vendor product , I
personally would not like to waste my and your time
with vendor who did not give us fav response before. 
I would refrain from taking names but I have seen that
happening in the past and still some of those vul are
existing in those products.
However no one can deny Full Disclosure with
responsibility the responsible Disclosure !!!

--- Martin O'Neal <martin.oneal at corsaire.com> wrote:

> > my opinion is that full disclosure is not for
> vendors .. 
> > it's for users. full disclosure is for us to know
> how to 
> > react on certain threads. 
> Which is just fine if you are technically competent
> to understand the
> threat, and there is also a valid mitigating
> strategy you can employ
> immediately.  For the vast majority of situations
> though, this just
> isn't the case.  The users are not technically
> competent enough to
> understand the true threat posed by an entry on a
> news group (which are
> generally hopelessly incomplete and/or factually
> inaccurate) and then
> this is coupled with a vulnerable product that may
> be essential,
> difficult to protect, and a stable official fix that
> may be weeks or
> months away from delivery.
> I personally also believe in full disclosure, but it
> has to be delivered
> in a responsible fashion.  Dispatching
> vulnerabilities to a public list
> without even attempting to contact the vendor is
> clearly not in the best
> interest of the vendors nor the great majority of
> the user base.
> Martin...
> CONFIDENTIALITY:  This e-mail and any files
> transmitted with it are
> confidential and intended solely for the use of the
> recipient(s) only.
> Any review, retransmission, dissemination or other
> use of, or taking
> any action in reliance upon this information by
> persons or entities
> other than the intended recipient(s) is prohibited. 
> If you have
> received this e-mail in error please notify the
> sender immediately
> and destroy the material whether stored on a
> computer or otherwise.
> DISCLAIMER:  Any views or opinions presented within
> this e-mail are
> solely those of the author and do not necessarily
> represent those
> of Corsaire Limited, unless otherwise specifically
> stated.
> Corsaire Limited, 3 Tannery House, Tannery Lane,
> Send, Surrey, GU23 7EF
> Telephone: +44(0)1483-226000 
> Email:info at corsaire.com
> Sponsored by: Watchfire
> Securing a web application goes far beyond testing
> the application using
> manual processes, or by using automated systems and
> tools. Watchfire's
> "Web Application Security: Automated Scanning or
> Manual Penetration
> Testing?" whitepaper examines a few vulnerability
> detection methods -
> specifically comparing and contrasting manual
> penetration testing with
> automated scanning tools. Download it today!

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list