It bugs me that winners of the contest aren't publicly announced or credited, so it's not much of a contest. It also bugs me that I submitted four additional XSS vulnerabilities, three of which were never acknowledged and none of which have been fixed afaik. I don't think I ever received a fourth permanent account, either, and theoretically I might be due a total of seven. To "submit" a vulnerability, you send private email to Brad. Yeah. I suspect he puts them in the security queue in RT, but there's no way to check. Meanwhile permanent accounts have been losing value through LJ changes such as introducing ads, giving away paid features to ad-sponsored users, etc. So anyway, my trust in LJ hasn't been at its highest levels.
But given that my friend
xb95 is going to be starting to work on LJ again, I figure it's probably all going to be okay. Now, what should I do with that half-formed post about my experience with the LJ XSS contest? Is four months enough to resort to public full disclosure, and do I dare toy with the ToS?How should alierak describe LJ XSS vulnerabilities that have been fixed?
in full detail
13(100.0%)
in vague terms
0(0.0%)
not at all
0(0.0%)
To whom should alierak describe LJ XSS vulnerabilities that have been fixed?
everyone
8(61.5%)
friends only
5(38.5%)
nobody
0(0.0%)
How should alierak describe LJ XSS vulnerabilities that have not been fixed?
in full detail
6(54.5%)
in vague terms
5(45.5%)
not at all
0(0.0%)
To whom should alierak describe LJ XSS vulnerabilities that have not been fixed?
everyone
2(15.4%)
friends only
11(84.6%)
nobody
0(0.0%)
(Yup, this poll was brought to you by my upgraded account)
