[OWASP-Bangalore] Why full/public disclosure of WebAppSechack/vulnerability !

Apurv Anand apurv_anand at yahoo.com
Fri Jun 26 09:06:37 EDT 2009


Hi Prashanth,

It's important to talk about it so that the end user knows about the problem and would help them decide to upgrade the application or not. It at times is critical to know why an upgrade is essential. Either because of the new functionality or bug fixes (including security).

Here it’s not important "how" to exploit a vulnerability, but the awareness of the problem that exists.

thanks,
apurv



--- On Fri, 6/26/09, Prashanth Sivarajan <prash.siv at gmail.com> wrote:

> From: Prashanth Sivarajan <prash.siv at gmail.com>
> Subject: Re: [OWASP-Bangalore] Why full/public disclosure of WebAppSechack/vulnerability !
> To: owasp-bangalore at lists.owasp.org
> Date: Friday, June 26, 2009, 3:17 PM
> What he means is...Why talk about
> a vulnerability that is already fixed....
>  
> We all learn from something that already happened. if
> you see any security tutorial, They talk about how some
> websites 'were' hacked they never teach you how to
> hack.
> Thats for you to figure out.
>  
> It is like reading the poems of other great poets to
> get inspired and write your own.
> 
>  
> On Fri, Jun 26, 2009 at 12:23 PM,
> Syed Mohamed A <SyedMA at microland.com>
> wrote:
> 
> 
> 
> 
> Send it to
> security focus …
> Regards
> Syed Mohamed
> A
> AGM –
> Security Services,
> Microland
> LTd
> (Co-author
> OWASP Guide, WASC Threat Classification, SANS Top 20)
> 
>  
> 
> From: owasp-bangalore-bounces at lists.owasp.org
> [mailto:owasp-bangalore-bounces at lists.owasp.org]
> On Behalf Of Raxit Sheth
> 
> 
> Sent: Thursday, June 25, 2009 9:37 PM
> To: owasp-mumbai at lists.owasp.org;
> owasp-bangalore at lists.owasp.org;
> BarCampMumbai2; BarcampAhmedabad; barcampdelhi at googlegroups.com;
> bangalore_barcamp at yahoogroups.com;
> null null 
> 
> Subject: [OWASP-Bangalore] Why full/public
> disclosure of WebAppSechack/vulnerability !
> 
>  
> Hi Guys 
> 
> 
> 
> 
> On this sunday(21st jun 2k9), found few critical personal
> data open on Outlook Money website  which i twitted After
> it has been fixed etc.. [i.e. first it is fixed and then i
> twitted !!! just to avoid any confusion.]
> 
> 
> 
> Now i just wanted to know why to put disclosure or bring
> this to public (After it has been fixed !) ?  [if they are
> not fixing and to force them to fix, doing public disclsure
> is fine ...But once they have done the fix... Should one ?]
> 
> 
> 
> 
> Open for thoughts !
> 
> 
> 
> -Raxit Sheth
> www.m4mum.com
> www.twitter.com/raxit
> 
> 
> 
> 
> The information transmitted is intended
> only for the person or entity to which it is addressed and
> may contain confidential and/or privileged material. 
> Any review, re-transmission, dissemination or other use of
> or taking of any action in reliance upon,this information by
> persons or entities other than the intended recipient is
> prohibited. 
> If you received this in error, please contact the sender
> and delete the material from your computer. 
> Microland takes all reasonable steps to ensure that its
> electronic communications are free from viruses. 
> However, given Internet accessibility, the Company cannot
> accept liability for any virus introduced by this e-mail or
> any attachment and you are advised to use up-to-date virus
> checking software. 
> 
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> 
> 
> 
> 
> 
> 
> -----Inline Attachment Follows-----
> 
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> 


      


More information about the OWASP-Bangalore mailing list