[OWASP-Bangalore] Why full/public disclosure of WebAppSec hack/vulnerability !

Apurv Anand apurv_anand at yahoo.com
Fri Jun 26 08:38:30 EDT 2009


Hi Raxit,

The main idea of public disclosure is to tell public (the users of the application) that a particular version of the product has a vulnerability and they should patch the application by the patch provided by the vendor to avoid any attacks. Ethically public disclosures are not done to force the vendor to fix the issue.

This means that the public disclosure should happen under the criteria set by the finder and the vendor after the fix is provided.

You can contact few popular websites to get your findings out. Ideally tell the version that has the problem, and the patch that fixes it.

thanks,
apurv


--- On Thu, 6/25/09, Raxit Sheth <raxitsheth2000 at gmail.com> wrote:

> From: Raxit Sheth <raxitsheth2000 at gmail.com>
> Subject: [OWASP-Bangalore] Why full/public disclosure of WebAppSec hack/vulnerability !
> To: owasp-mumbai at lists.owasp.org, owasp-bangalore at lists.owasp.org, "BarCampMumbai2" <barcampmumbai2 at googlegroups.com>, "BarcampAhmedabad" <barcampahmedabad at googlegroups.com>, barcampdelhi at googlegroups.com, bangalore_barcamp at yahoogroups.com, "null null" <giimale at gmail.com>
> Date: Thursday, June 25, 2009, 10:07 PM
> Hi Guys
> 
> 
> 
> On this sunday(21st jun 2k9), found few critical personal
> data open on Outlook Money website  which i twitted After
> it has been fixed etc.. [i.e. first it is fixed and then i
> twitted !!! just to avoid any confusion.]
> 
> 
> Now i just wanted to know why to put disclosure or bring
> this to public (After it has been fixed !) ?  [if they are
> not fixing and to force them to fix, doing public disclsure
> is fine ...But once they have done the fix... Should one ?]
> 
> 
> 
> Open for thoughts !
> 
> 
> 
> -Raxit Sheth
> www.m4mum.com
> www.twitter.com/raxit
> 
> 
> 
> 
> -----Inline Attachment Follows-----
> 
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> 


      


More information about the OWASP-Bangalore mailing list