The risks of disclosing web vulnerabilities
Posted May 4, 2006 9:27 UTC (Thu) by eskild
In reply to: The risks of disclosing web vulnerabilities
Parent article: The risks of disclosing web vulnerabilities
Well, yes, but... Reading the article it appears the web site owners didn't acknowledge the problem until they were presented with data that proved their systems' failure.
In other words: They flat-out denied they had a problem -- until it was proven to them with their own data.
It is hard for me to see how an organization acting in denial of their own problems could be convinced of their web site deficiencies in another manner.
So he *had* to retrieve data, he *had* to distribute them. But, of course, he *didn't* have to retain them once they were sent.
I see this behaviour as a typical "we don't have any problems, but we'll sue you to pieces if we have" scare tactic. Utterly, utterly irresponsible. And pathetic, too.
An anecdote: A couple years back I found an SQL injection vulnerability in a major Danish site, and I simply gave them a call. After some shuffling around with my phone call, I got to one of the developers. She was shocked -- but thankful, and they fixed it rapidly. That's how these things should work.
to post comments)