Full Disclosure mailing list archives

Re: Websites vulnerabilities disclosure

From: Raghu Chinthoju <raghu.chinthoju () gmail com>
Date: Fri, 7 Oct 2005 14:38:34 +0530

I say, "... hey listen! your house entrance door latch isn't strong
enough.. there are only 4 screws instead 16, which is the practice..
you have a risk of some one easily barging into your house ...". For
some reason you don't respond.. I publish it in the local news paper
that ".. Mr. X's door latch is week and any one can break it easily
..." Do you think it is ethical??? I seriously think not.

More over, going by my personal experience, I think 5 out of 10
websites[1] would be vulnerable to some kind of security issue, like
running vulnerable versions of the web server, improper input
validation etc, which are just specific them and their clients. Would
would be the interest of general public on such issues? I don't think
any one from those sites would be part of bugtraq or FD as you
mentioned that they are not vendors. Your publication will only
increase the magnitude of their risk and doesn't do good to any one.
If you have time, try to provide them with the required knowledge or
fix. If you cant, just leave them at their fate and move on..

Raghu

[1] I dont have any data to support this.. If you dont agree, please
do so. You have every right to :)


On 10/6/05, offtopic <offtopic () mail ru> wrote:

Hi List.
I need your opinion.
Recently I found multiply vulnerabilities in several sites. some sites behold to security-related firms but not 
software vendors. I'm trying to contact that companies under rfpolicy several times but don't receive any response on 
receive something like "what injection your talking about?".

I want to know - is it "ethical" to use standard vulnerability disclosure policies to public websites? Which 
fird-party can't be user as coordinator, like CERT/CC?
Or in other worlds - who should care about Web-sites security?
Thank you.

(c)oded by offtopic () mail ru

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Websites vulnerabilities disclosure offtopic (Oct 05)
- Re: Websites vulnerabilities disclosure Javi Polo (Oct 06)
- Re: Websites vulnerabilities disclosure Georgi Guninski (Oct 06)
  - Re: Websites vulnerabilities disclosure Stan Bubrouski (Oct 07)
- Re: Websites vulnerabilities disclosure Raghu Chinthoju (Oct 07)
  - Re: Websites vulnerabilities disclosure Peer Janssen (Oct 07)
  - Re: Websites vulnerabilities disclosure Valdis . Kletnieks (Oct 07)
    - RE: Websites vulnerabilities disclosure Adriel Desautels (Oct 07)
- <Possible follow-ups>
- RE: Websites vulnerabilities disclosure offtopic (Oct 06)
  - Re: Websites vulnerabilities disclosure Georgi Guninski (Oct 07)
- RE: Websites vulnerabilities disclosure Fielder, Kevin (GE Consumer Finance) (Oct 07)
  - Re: Websites vulnerabilities disclosure TheGesus (Oct 07)