The Security Reporting Conundrum
@ 2008-10-22 23:03:43
Filed under: Tech Security Frustration
I'm sitting here browsing the web and I come across an XSS in a popular hosted website/application. My immediate reaction is to alert the company ... but then I think about it .... some companies get offended when you report security issues or, worse yet, freak out and think your some kind of evil guy when all your trying to do is be helpful.
No one should have to think about it this way. If you see someone leave their keys in their door they won't freak out if you knock on their door and tell them ... they are happy! If someone leaves their front door open and you point it out they are thankful you caught it before someone walked in. Reporting a security vuln should work like that ... companies should be happy they get the report!
In the end I think I'll go ahead and report it to them. If they freak out then, well, they freak out ... I should do the right thing.
digg it
seed it
del.icio.us
ma.gnolia
Log in to post comments.
Filed under: Tech Security Frustration
I'm sitting here browsing the web and I come across an XSS in a popular hosted website/application. My immediate reaction is to alert the company ... but then I think about it .... some companies get offended when you report security issues or, worse yet, freak out and think your some kind of evil guy when all your trying to do is be helpful.
No one should have to think about it this way. If you see someone leave their keys in their door they won't freak out if you knock on their door and tell them ... they are happy! If someone leaves their front door open and you point it out they are thankful you caught it before someone walked in. Reporting a security vuln should work like that ... companies should be happy they get the report!
In the end I think I'll go ahead and report it to them. If they freak out then, well, they freak out ... I should do the right thing.
digg it
seed it
del.icio.us
ma.gnolia
Log in to post comments.
