lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4b6ee931041030202216211ca0@mail.gmail.com>
From: xploitable at gmail.com (n3td3v)
Subject: Slashdot: Gmail Accounts Vulnerable to XSS Exploit

I feel sorry for all the security pros outside of gmail and google, so
I say the below on behalf of them...

Should the general public be expecting a disclosure of the
vulnerability to security mailing lists once a solution has been
implemented to patch the hole, so other web-based services are aware
of the possibility of the same problem being an issue for them, or
should gmail be keeping everything secret after they patch.

I guess if gmail team did not want to make a public disclosure of the
vulnerability, the gmail folks would send a private e-mail to people
like yahoo, if it was found to be a current issue for other webbased
e-mail services, or in future possibilities.

If none of the above, can we expect the "hacker" to make an
announcement once he has heard back from the vendor that a solution
and patch has been implemented.

If this was a private disclosure, then no one would be asking for a
public announcement of the vulnerability, but since this has been made
into a public, high profile disclosure, is it not right in the public
interest for ethier the "hacker" or gmail team to make the
vulnerability known, after its safe to do so.

Thanks,

n3td3v


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ