[OWASP-Bangalore] Why full/public disclosure of WebAppSec hack/vulnerability !

Vikas Jain v_jn at yahoo.co.in
Fri Jun 26 01:35:00 EDT 2009

Hello Raxit,I just want to recollect, what I understood from your email.

"Some vulnerability in outlook money website has been reported and fixed.. But even after the fix, you are still able to exploit the vulnerability."

I this case, I would suggest to go for public-disclosure. Please correct me if I misunderstood something.


From: Raxit Sheth <raxitsheth2000 at gmail.com>
To: owasp-mumbai at lists.owasp.org; owasp-bangalore at lists.owasp.org; BarCampMumbai2 <barcampmumbai2 at googlegroups.com>; BarcampAhmedabad <barcampahmedabad at googlegroups.com>; barcampdelhi at googlegroups.com; bangalore_barcamp at yahoogroups.com; null null <giimale at gmail.com>
Sent: Thursday, 25 June, 2009 9:37:13 PM
Subject: [OWASP-Bangalore] Why full/public disclosure of WebAppSec hack/vulnerability !

Hi Guys

On this sunday(21st jun 2k9), found few critical personal data open on Outlook Money website  which i twitted After it has been fixed etc.. [i.e. first it is fixed and then i twitted !!! just to avoid any confusion.]

Now i just wanted to know why to put disclosure or bring this to public (After it has been fixed !) ?  [if they are not fixing and to force them to fix, doing public disclsure is fine ...But once they have done the fix... Should one ?]

Open for thoughts !

-Raxit Sheth

      ICC World Twenty20 England &#39;09 exclusively on YAHOO! CRICKET http://cricket.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090626/62f63fbf/attachment.html 

More information about the OWASP-Bangalore mailing list