Full Disclosure mailing list archives
Re: XSS at Citibank.co.uk
From: Jim Duncan <jnduncan () cisco com>
Date: Sun, 14 Aug 2005 01:56:09 -0400
Andrew Smtih writes:
Anyway, I informed citibank through e-mail (no response), posted it on my blog (no response, no fix..) and now I'll post it here. I've had luck on FD in contacting BankOfAmerica employees in the past, so maybe there are a few Citibank admins listening? Let's hope so.
While any method of contact is better than none, may I suggest you check the list of FIRST teams at http://www.first.org/ before posting publicly? While I can't guarantee any given organization will be a member -- nor can I guarantee a response to the given address -- Citigroup is a long-time member of FIRST, and their first-team members have demonstrated excellent responsiveness in the past. The direct link is http://www.first.org/about/organization/teams/. The address to reach Citigroup's response team is first.team () citigroup com. Additionally, for the general benefit of Full Disclosure readers, the US National Infrastructure Advisory Council (NIAC) Vulnerability Disclosure Framework (VDF) documents a standard URL for identifying how to report security issues, whether cyber or physical, into an organization. Please consider checking http://www.example.com/security/ (the "slash security" page) in addition to other methods you might use. I would consider it a personal favor (in addition to the obvious benefit to the security of The Net) if you and the other readers of the Full Disclosure list would encourage wider adoption of this standard. Details are available in the official NIAC VDF report: http://www.dhs.gov/interweb/assetlibrary/vdwgreport.pdf The standard is designed to be appropriate for _any_ web site, whether internal or external to an organization. The primary function is to show how to report a security issue _into_ an organization, and the secondary function is to show how to receive security information _from_ an organization. The tertiary function, if present, documents any other security information relevant to the site. To quote Steve Bellovin, following a presentation I made on this topic at a NANOG Security BoF session, "This is important. Everybody should do this." As a principal co-author of the report, I welcome any comments or questions you or the other readers might have. Thanks! Jim FIRST Steering Committee Member and FIRST.Org, Inc., Board of Directors -- Jim Duncan, jnduncan () cisco com, +1 919 392 6209 Critical Infrastructure Assurance Group, Cisco Systems, Inc. Group URL: http://cisco.com/security_services/ciag/. PGP: DSS 4096/1024 E09E EA55 DA28 1399 75EB D6A2 7092 9A9C 6DC3 1821 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS at Citibank.co.uk Andrew Smtih (Aug 13)
- Re: XSS at Citibank.co.uk Jim Duncan (Aug 13)
- Re: XSS at Citibank.co.uk bruen (Aug 14)
- Re: XSS at Citibank.co.uk Frank de Wit (Aug 14)
- Re: XSS at Citibank.co.uk bruen (Aug 14)
- Re: XSS at Citibank.co.uk Jim Duncan (Aug 13)