[OWASP-Bangalore] Why full/public disclosure of WebAppSechack/vulnerability !

Raxit Sheth raxitsheth2000 at gmail.com
Fri Jun 26 11:44:57 EDT 2009


On Fri, Jun 26, 2009 at 6:36 PM, Apurv Anand <apurv_anand at yahoo.com> wrote:

>
> Hi Prashanth,
>
> It's important to talk about it so that the end user knows about the
> problem and would help them decide to upgrade the application or not. It at
> times is critical to know why an upgrade is essential. Either because of the
> new functionality or bug fixes


It is not application it is website ! its not at all under user's control !
Disclosing one more vulnerabitliy of Gmail will help you in anyway (just for
example !) ?

(including security).
>
> Here it’s not important "how" to exploit a vulnerability, but the awareness
> of the problem that exists.
>
> thanks,
> apurv
>
>
>
> --- On Fri, 6/26/09, Prashanth Sivarajan <prash.siv at gmail.com> wrote:
>
> > From: Prashanth Sivarajan <prash.siv at gmail.com>
> > Subject: Re: [OWASP-Bangalore] Why full/public disclosure of
> WebAppSechack/vulnerability !
> > To: owasp-bangalore at lists.owasp.org
> > Date: Friday, June 26, 2009, 3:17 PM
> > What he means is...Why talk about
> > a vulnerability that is already fixed....
> >
> > We all learn from something that already happened. if
> > you see any security tutorial, They talk about how some
> > websites 'were' hacked they never teach you how to
> > hack.
> > Thats for you to figure out.
> >
> > It is like reading the poems of other great poets to
> > get inspired and write your own.
> >
> >
> > On Fri, Jun 26, 2009 at 12:23 PM,
> > Syed Mohamed A <SyedMA at microland.com>
> > wrote:
> >
> >
> >
> >
> > Send it to
> > security focus …
> > Regards
> > Syed Mohamed
> > A
> > AGM –
> > Security Services,
> > Microland
> > LTd
> > (Co-author
> > OWASP Guide, WASC Threat Classification, SANS Top 20)
> >
> >
> >
> > From: owasp-bangalore-bounces at lists.owasp.org
> > [mailto:owasp-bangalore-bounces at lists.owasp.org]
> > On Behalf Of Raxit Sheth
> >
> >
> > Sent: Thursday, June 25, 2009 9:37 PM
> > To: owasp-mumbai at lists.owasp.org;
> > owasp-bangalore at lists.owasp.org;
> > BarCampMumbai2; BarcampAhmedabad; barcampdelhi at googlegroups.com;
> > bangalore_barcamp at yahoogroups.com;
> > null null
> >
> > Subject: [OWASP-Bangalore] Why full/public
> > disclosure of WebAppSechack/vulnerability !
> >
> >
> > Hi Guys
> >
> >
> >
> >
> > On this sunday(21st jun 2k9), found few critical personal
> > data open on Outlook Money website  which i twitted After
> > it has been fixed etc.. [i.e. first it is fixed and then i
> > twitted !!! just to avoid any confusion.]
> >
> >
> >
> > Now i just wanted to know why to put disclosure or bring
> > this to public (After it has been fixed !) ?  [if they are
> > not fixing and to force them to fix, doing public disclsure
> > is fine ...But once they have done the fix... Should one ?]
> >
> >
> >
> >
> > Open for thoughts !
> >
> >
> >
> > -Raxit Sheth
> > www.m4mum.com
> > www.twitter.com/raxit
> >
> >
> >
> >
> > The information transmitted is intended
> > only for the person or entity to which it is addressed and
> > may contain confidential and/or privileged material.
> > Any review, re-transmission, dissemination or other use of
> > or taking of any action in reliance upon,this information by
> > persons or entities other than the intended recipient is
> > prohibited.
> > If you received this in error, please contact the sender
> > and delete the material from your computer.
> > Microland takes all reasonable steps to ensure that its
> > electronic communications are free from viruses.
> > However, given Internet accessibility, the Company cannot
> > accept liability for any virus introduced by this e-mail or
> > any attachment and you are advised to use up-to-date virus
> > checking software.
> >
> > _______________________________________________
> > OWASP-Bangalore mailing list
> > OWASP-Bangalore at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> >
> >
> >
> >
> >
> >
> > -----Inline Attachment Follows-----
> >
> > _______________________________________________
> > OWASP-Bangalore mailing list
> > OWASP-Bangalore at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> >
>
>
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090626/6756211e/attachment.html 


More information about the OWASP-Bangalore mailing list