Security reporting response handling [was: Suggestions for the future on your web site]

• Previous message (by thread): Security reporting response handling [was: Suggestions for the future on your web site]
• Next message (by thread): Security reporting response handling [was: Suggestions for the future on your web site]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tuesday, January 22, 2013, Matt Palmer wrote:

> That article doesn't justify security review, it justifies not being a
> complete knob when someone reports a security hole in your site.  There are
> so many site vulnerabilities these days that they're not news.  What *is*
> news is when the vulnerable organisation goes off the deep end and
> massively
> overreacts to the situation.
>

Report - yes.  What this kid seems to have done is - reported it, got
thanked for it. Then went ahead and pentested the site to see for himself
whether the bug was fixed or not.   Which justifies the company asking him
to stop I guess - and it definitely justifies the kid's prof chewing him
out.

Expulsion, maybe not, though the article I read said 14 out of 15 profs in
his college voted to boot the kid out.

--srs


-- 
--srs (iPad)

• Previous message (by thread): Security reporting response handling [was: Suggestions for the future on your web site]
• Next message (by thread): Security reporting response handling [was: Suggestions for the future on your web site]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]