Comments | eevee: Responsible disclosure

eevee

Responsible disclosure

Nov 09, 2010 17:26

I released my post-FA-debacle list of security vulnerabilities 23 days ago. Since then, only one person on FA staff has approached me about the list; this person is neither a technical contact nor a high-tier administrator, and he only asked vaguely about the admin panel CSRF exploit ( Read more... )

security, furaffinity, geeky

Comments 13

anonymous November 10 2010, 02:17:05 UTC

when you find a bug ★☆☆Run arbitrary commands on the server and rm -rf the thing.

psycocharmander November 10 2010, 03:18:28 UTC

Obviously the best day to actually reveal everything is the day you launch Floof, or shortly before ( ... )

eevee November 10 2010, 03:31:34 UTC

What none of this has anything to do with floof or politics. :V

psycocharmander November 10 2010, 03:44:18 UTC

Furries make everything about everything. :x If you explain FA's exploits, many people are naturally going to assume that you're doing so because you have your own site that you want to see grow. Whether or not that's actually your reason at all won't matter, because you'll have a motive. That's all it takes.

It'd end up being political one day, I guarantee it. This is why I say you should probably sweep these exploits under a rug and not risk tarnishing your reputation among the people that you're hoping will use Floof at some point.

psycocharmander November 10 2010, 03:46:04 UTC

Yeah I don't think he gives a fuck. That is what makes him different from the other guys.

Thread 9

eagle_bird November 10 2010, 06:40:45 UTC

It depends on whether you -want- to tell them or not ( ... )

itrasbiel November 10 2010, 16:15:53 UTC

i'd say write up a long list of issues, noting, in general, how to exploit them and how to patch them. if you hear nothing back within a week, post it publicly. but if some admin in fa's official capacity responds and actually engages in dialog about the problems, hold off on posting it.

(my motives here might be a little transparent because i do like reading at length about awful code, but seriously every site except fa that i've ever contacted about their exploitable code i've gotten a response within hours thanking me and the issue has been patched within a few more hours. go ahead and publish it all; it might give them an actual motive to fix their shit.)

toksyuryel November 10 2010, 19:06:24 UTC

You've been patient enough. Just do what is necessary, we both know that it will never happen any other way.