WebApp Sec mailing list archives
RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
From: tcp fin <inet_inaddr () yahoo com>
Date: Mon, 10 Jul 2006 21:29:38 -0700 (PDT)
Hey Martin , I agree with u partly but there are vendors out there in the market who has Dont know DOnt care attitude. If thats the case after idetifying and exploiting the vulnerability in the same vendor product , I personally would not like to waste my and your time with vendor who did not give us fav response before. I would refrain from taking names but I have seen that happening in the past and still some of those vul are existing in those products. However no one can deny Full Disclosure with responsibility the responsible Disclosure !!! Regards, TCP-FIN --- Martin O'Neal <martin.oneal () corsaire com> wrote:
my opinion is that full disclosure is not forvendors ..it's for users. full disclosure is for us to knowhow toreact on certain threads.Which is just fine if you are technically competent to understand the threat, and there is also a valid mitigating strategy you can employ immediately. For the vast majority of situations though, this just isn't the case. The users are not technically competent enough to understand the true threat posed by an entry on a news group (which are generally hopelessly incomplete and/or factually inaccurate) and then this is coupled with a vulnerable product that may be essential, difficult to protect, and a stable official fix that may be weeks or months away from delivery. I personally also believe in full disclosure, but it has to be delivered in a responsible fashion. Dispatching vulnerabilities to a public list without even attempting to contact the vendor is clearly not in the best interest of the vendors nor the great majority of the user base. Martin...
----------------------------------------------------------------------
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF Telephone: +44(0)1483-226000 Email:info () corsaire com
-------------------------------------------------------------------------
Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr --------------------------------------------------------------------------
Current thread:
- RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google Martin O'Neal (Jul 06)
- RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google tcp fin (Jul 11)
- <Possible follow-ups>
- RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google PPowenski (Jul 11)