| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Jul 7 16:13:51 2006 From: security at randomtask.net (Mike Duncan) Subject: Re: [WEB SECURITY] Cross Site Scripting in Google -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin O'Neal wrote: > > I personally also believe in full disclosure, but it has to be delivered > in a responsible fashion. Dispatching vulnerabilities to a public list > without even attempting to contact the vendor is clearly not in the best > interest of the vendors nor the great majority of the user base. Actually, I think this is the point the author was trying to make. We should not be thinking about the interests of a company who has ignored issues in the past. The "great majority of the user base" will listen to the company -- not us -- anyways. They are not on this list(s) and thus will not see what we see. We are not making the Google website better here, rather we are trying to alert people of a possible issue with the website that they should be aware of and learn from this issue. The author did the right thing here by posting examples in the past of Google ignoring possible issues with their website. I think the author actually went above and beyond the "requirements" of the list(s) and its reader base as well. And the debate continues... Mike Duncan security@...domtask.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFErnK1OSRBehttuMoRAu2KAKDCWdH1z3RuZ4stX0PeQY5ely3KiQCfaR8b y4pY794d1xgNW6P1tsIdqtk= =a/SO -----END PGP SIGNATURE-----
Powered by blists - more mailing lists