Security reporting response handling [was: Suggestions for the future on your web site]
ops.lists at gmail.com
Tue Jan 22 11:27:04 UTC 2013
On Tuesday, January 22, 2013, Matt Palmer wrote:
> That article doesn't justify security review, it justifies not being a
> complete knob when someone reports a security hole in your site. There are
> so many site vulnerabilities these days that they're not news. What *is*
> news is when the vulnerable organisation goes off the deep end and
> overreacts to the situation.
Report - yes. What this kid seems to have done is - reported it, got
thanked for it. Then went ahead and pentested the site to see for himself
whether the bug was fixed or not. Which justifies the company asking him
to stop I guess - and it definitely justifies the kid's prof chewing him
Expulsion, maybe not, though the article I read said 14 out of 15 profs in
his college voted to boot the kid out.
More information about the NANOG