Post Friends My journal
alierak

(Untitled)

Jul 18, 2006 17:31

You may have noticed it's been a while since I posted anything here. There's a reason for that. In February I got busy participating in the Livejournal XSS Contest, where I learned a few javascript / CSS tricks and won three permanent accounts for my trouble. I keep wondering if I should finish writing up that experience, and how much detail to go ( Read more... )

toys, lj

Leave a comment

Back to all threads
coderlemming July 19 2006, 05:35:20 UTC
I haven't read the ToS, so I don't really know what the rules are, but here's what I answered, in order: "in full detail", "everyone", "in full detail", "friends only".

The reason for the first and second is that giving full disclosure on a bug that's fixed gives everyone the chance to study it and learn from the mistakes, but it's still "safe" because no one can run out and use it to steal someone's journal. If by "fixed" you only mean "fixed on the test site, but still not fixed on the main site", then I'd say don't disclose it to everyone... maybe just friends. I answered "everyone" under the assumption that you WANT to disclose your experience and the bugs you found to everyone... if you don't, you're not under any ethical obligation to do so.

As to the second, I think you gave Brad long enough to check into the security holes and fix them, or at least to acknowledge them all. Of course, if he really did misplace them, someone might take your reports and resubmit them and try to take credit... well, your call on that. As to what to disclose and to whom, I think full disclosure is again good because it allows us to learn from the mistakes. I don't think necessarily disclosing it to the entire world is a good idea, because it could turn into a recipe for a script-kiddie. Posting friends-only doesn't necessarily mean someone won't republish what you write and make it public, but I think it's a happy medium between full disclosure to everyone and not disclosing anything.

Of course, if you don't want to share anything, don't, but I'd definitely be interested to see what you write.

Reply

alierak July 19 2006, 08:32:24 UTC
Thanks. I'm definitely leaning in the direction of your answers. It is reassuring that you are one of the few people on my flist actually qualified to give advice on security research.

As for things being fixed only on the test site, it's (imho) unethical to discover that, because you'd have had to try an exploit on the main site, which was not in the scope of the challenge. Permission was granted to bang on only the test server, afaik. But I think I can assume security bugfixes were applied to the test site and then to the main site within a day of the changes having appeared in public CVS / SVN. The bugs I'm calling "fixed" ought to be unambiguously dead at this point.

Reply

coderlemming July 19 2006, 17:40:21 UTC
Oh, right, good point. In that case, I think you're right, you've got every reason to believe that "fixed" means fixed.

Reply

Back to all threads

Leave a comment

Up
Homepage Read journal... Full version Help Русская версия
© 1999-2024 LiveJournal, Inc.