Re: Informing Companies about security vulnerabilities..

[Dragos Ruiu <dr () pacsec jp>]

On Thursday 05 October 2006 10:59, bugtraq () cgisecurity net wrote:
> > > Sound like you need to consider your response. I'll let the lawyers
> > > correct me, but AFAIK unless the thing you are pointing them at
> > > contravenes some laws, merely posting something with a cross site
> > > reference to a site does not constitute prohibited behaviour anywhere I
> > > know of, and there are many legitimate contexts to be doing this in (as
> > > well as the unitended ones) and intentional reasons why some sites
> > > explicitly allow this (for better or for worse).
>
> If that is what he did then yes. However if you read the email you'd know
> he did in fact test it (in his words), more below.
>
> > > Maybe you need to consult your lawyer :-).

My point exactly is that _testing_ XSS is not necesarily malicious or illegal.
Which is what you were implying. Using it to plant malicious content is
another matter, but lets not go around trying to criminalize rattling a
doorknob to see if it is locked.

cheers,
--dr

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan    November 27-30 2006    http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------