Re: Security reporting response handling [was: Suggestions for the future on your web site]

[Alain Hebert <ahebert () pubnix net>]

    Hi,

    (Mind the English, like my French, its awful)

    Going from, what seems to be, a non-service impacting XSS scan to
expulsion is a bit of a trek.  I'm sure there is a big chunk of story
missing.  Beside, a 20yo is rarely aware of the proper etiquette when it
comes to scanning websites and the worst he should have got is a sit
down with security experts to explain to him how to go about it in the
future.

    Hopefully, stories like this will provide more incentive to 3rd
party software providers to add this type of scan to their Q&A.  And
train their developers into the art of internet security when it comes
to XSS/SQL Injection (see OWAPS/etc).

    PS: Being in Montreal, too bad someone already offered him a job :(
I may have some part-time work for a bright kid soon.

-----
Alain Hebert                                ahebert () pubnix net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 01/22/13 06:27, Suresh Ramasubramanian wrote:
> On Tuesday, January 22, 2013, Matt Palmer wrote:
>
> > That article doesn't justify security review, it justifies not being a
> > complete knob when someone reports a security hole in your site.  There are
> > so many site vulnerabilities these days that they're not news.  What *is*
> > news is when the vulnerable organisation goes off the deep end and
> > massively
> > overreacts to the situation.
> Report - yes.  What this kid seems to have done is - reported it, got
> thanked for it. Then went ahead and pentested the site to see for himself
> whether the bug was fixed or not.   Which justifies the company asking him
> to stop I guess - and it definitely justifies the kid's prof chewing him
> out.
>
> Expulsion, maybe not, though the article I read said 14 out of 15 profs in
> his college voted to boot the kid out.
>
> --srs