Why full/public disclosure of WebAppSec hack/vulnerability !

3 views
Skip to first unread message

Raxit Sheth

unread,
Jun 25, 2009, 12:07:13 PM6/25/09
to owasp-...@lists.owasp.org, owasp-b...@lists.owasp.org, BarCampMumbai2, BarcampAhmedabad, barcam...@googlegroups.com, bangalor...@yahoogroups.com, null null
Hi Guys



On this sunday(21st jun 2k9), found few critical personal data open on Outlook Money website  which i twitted After it has been fixed etc.. [i.e. first it is fixed and then i twitted !!! just to avoid any confusion.]

Now i just wanted to know why to put disclosure or bring this to public (After it has been fixed !) ?  [if they are not fixing and to force them to fix, doing public disclsure is fine ...But once they have done the fix... Should one ?]


Open for thoughts !



-Raxit Sheth
www.m4mum.com
www.twitter.com/raxit


Hemantkumar Jain

unread,
Jun 25, 2009, 12:10:57 PM6/25/09
to barcamp...@googlegroups.com
good for both parties !!
 
they fixed once u reported ... so they are good and responsive !!
you discovered the bug so u r a good resource for someone who is looking for one ... !!
 
reputation building for both :D

Keep smiling and have a nice day ...

Hemantkumar Jain

Mobile: +971 55 794 2889 (Dubai, UAE)
Mobile: +971 50 959 7578 (Dubai, UAE)

Change Mgmt Consultant,
Satyam Computer Services Ltd.

I read impossible as I'M Possible !
============================
http://www.linkedin.com/in/hemantkumarjain
www.arbitmba.com | http://shoOOonya.blogspot.com
============================


2009/6/25 Raxit Sheth <raxitsh...@gmail.com>

Raxit Sheth

unread,
Jun 26, 2009, 10:40:11 AM6/26/09
to owasp-b...@lists.owasp.org, BarCampMumbai2, owasp-...@lists.owasp.org
Well. Except fame, if community or other WebAdmin is having any benefit, then i am more than happy to disclose.

Raxit

On Fri, Jun 26, 2009 at 2:47 PM, Prashanth Sivarajan <pras...@gmail.com> wrote:
What he means is...Why talk about a vulnerability that is already fixed....
 
We all learn from something that already happened. if you see any security tutorial, They talk about how some websites 'were' hacked they never teach you how to hack.
Thats for you to figure out.
 
It is like reading the poems of other great poets to get inspired and write your own.

 
On Fri, Jun 26, 2009 at 12:23 PM, Syed Mohamed A <Sye...@microland.com> wrote:

Send it to security focus …

Regards

Syed Mohamed A

AGM – Security Services,

Microland LTd

(Co-author OWASP Guide, WASC Threat Classification, SANS Top 20)

 

From: owasp-banga...@lists.owasp.org [mailto:owasp-banga...@lists.owasp.org] On Behalf Of Raxit Sheth
Sent: Thursday, June 25, 2009 9:37 PM
To: owasp-...@lists.owasp.org; owasp-b...@lists.owasp.org; BarCampMumbai2; BarcampAhmedabad; barcam...@googlegroups.com; bangalor...@yahoogroups.com; null null


Subject: [OWASP-Bangalore] Why full/public disclosure of WebAppSechack/vulnerability !

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. 
Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon,this information by persons or entities other than the intended recipient is prohibited. 
If you received this in error, please contact the sender and delete the material from your computer. 
Microland takes all reasonable steps to ensure that its electronic communications are free from viruses. 
However, given Internet accessibility, the Company cannot accept liability for any virus introduced by this e-mail or any attachment and you are advised to use up-to-date virus checking software. 

_______________________________________________
OWASP-Bangalore mailing list
OWASP-B...@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-bangalore



_______________________________________________
OWASP-Bangalore mailing list
OWASP-B...@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-bangalore


Reply all
Reply to author
Forward
0 new messages