| Main Archive Page > Month Archives > websecurity archives |
Re: [WEB SECURITY] Website Vulnerability Disclosure Stances
From: <jross_at_nospam>Date: Thu Oct 04 2007 - 01:13:18 GMT
To: websecurity@webappsec.org
On Wed, Oct 03, 2007 at 07:24:35PM -0400, robert@webappsec.org wrote:
> Hello,
>
> We're all aware of policies such as R.F.P.'s and how companies
> address product related issues however I rarely see people
> sppeaking about website vuln disclosure stances.
> Do most companies provide public acknowledgement to vulns
> in their websites and provide 'credit' to those working with them?
> Do they provide acknowledgement to an issue with no details or
> support a formal advisory released by the vuln finder?
>From what I've seen, website vulns for the most part don't get
"disclosed" at all really. The only time you hear about them is
when it's a major player (myspace worms, google apps, etc.)
But when that happens, it's not really disclosed in the way that I think of disclosure, it's more like "headlined" all over digg/slashdot etc.
RSnake has an interesting post on the topic, and the results of attempting to define an 'RSPolicy' similar to RFP's.
I think there's a couple reasons for this being the case:
- In "hacker" circles, website defacement is seen as a script kiddie activity (give or take a few 'hacktivist' groups). As such, there's not much "cred" to be gained by having a web site explot attached to your name. Where there is, it's generally attached to the underlying framework (phpBB, etc.) rather than a given site.
- Until recently, the (public anyway) perception has been that
web apps are largely "ads". That is, with a few exceptions,
the main point of a website was to be a brochure for a company.
The onset of "Web 2.0" is changing that, and web apps are
more and more becoming:
- blended in to the desktop (online office apps)
- about the end user more than the company that owns the site.
I expect that the second item will result in it becoming more and more not a kiddie thing to exploit a web site, depending on the payload of said exploit.
I also think that this is a big reason why folks are starting to wonder about website disclosure policies =) -- Jason ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]