It bugs me that winners of the contest aren't publicly announced or credited, so it's not much of a contest. It also bugs me that I submitted four additional XSS vulnerabilities, three of which were never acknowledged and none of which have been fixed afaik. I don't think I ever received a fourth permanent account, either, and theoretically I might be due a total of seven. To "submit" a vulnerability, you send private email to Brad. Yeah. I suspect he puts them in the security queue in RT, but there's no way to check. Meanwhile permanent accounts have been losing value through LJ changes such as introducing ads, giving away paid features to ad-sponsored users, etc. So anyway, my trust in LJ hasn't been at its highest levels.
But given that my friend xb95 is going to be starting to work on LJ again, I figure it's probably all going to be okay. Now, what should I do with that half-formed post about my experience with the LJ XSS contest? Is four months enough to resort to public full disclosure, and do I dare toy with the ToS?
How should alierak describe LJ XSS vulnerabilities that have been fixed?
To whom should alierak describe LJ XSS vulnerabilities that have been fixed?
How should alierak describe LJ XSS vulnerabilities that have not been fixed?
(Yup, this poll was brought to you by my upgraded account)