| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAPiX_LS0FfyBRSpTWra5MevJvmF8aciVYXj_fUZmVkZFD1c=Q@mail.gmail.com> Date: Wed, 8 Feb 2012 07:13:11 -0700 From: Greg Knaddison <greg.knaddison@...uia.com> To: b <b@...isoryalerts.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: posting xss notifications in sites vs software packages On Tue, Feb 7, 2012 at 4:18 PM, b <b@...isoryalerts.com> wrote: > What is the point of posting notifications of XSS vulnerabilities in > specific web sites instead of alerts of xss vulns in specific software > packages? I think there are at least 2 reasons: 1. We have pretty good data about bugs in published software packages because those vendors will usually disclose the issues and we can track it and know what's going on. But we don't have good data for security bugs in completely custom code. I think it's helpful to prove the point that custom code has security bugs too, even if we don't see CVE numbers for it. 2. If you are a customer of one of those sites you can use the knowledge of a bug in the site to take proactive measures like disabling javascript/flash/java/etc. when visiting that site if you know it has xss. Or simply not logging in until a CSRF issue is fixed. Regards, Greg -- Director Security Services | +1-720-310-5623 Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists