You may have noticed it's been a while since I posted anything here.… - Alierak — LiveJournal
I haven't read the ToS, so I don't really know what the rules are, but here's what I answered, in order: "in full detail", "everyone", "in full detail", "friends only".
The reason for the first and second is that giving full disclosure on a bug that's fixed gives everyone the chance to study it and learn from the mistakes, but it's still "safe" because no one can run out and use it to steal someone's journal. If by "fixed" you only mean "fixed on the test site, but still not fixed on the main site", then I'd say don't disclose it to everyone... maybe just friends. I answered "everyone" under the assumption that you WANT to disclose your experience and the bugs you found to everyone... if you don't, you're not under any ethical obligation to do so.
As to the second, I think you gave Brad long enough to check into the security holes and fix them, or at least to acknowledge them all. Of course, if he really did misplace them, someone might take your reports and resubmit them and try to take credit... well, your call on that. As to what to disclose and to whom, I think full disclosure is again good because it allows us to learn from the mistakes. I don't think necessarily disclosing it to the entire world is a good idea, because it could turn into a recipe for a script-kiddie. Posting friends-only doesn't necessarily mean someone won't republish what you write and make it public, but I think it's a happy medium between full disclosure to everyone and not disclosing anything.
Of course, if you don't want to share anything, don't, but I'd definitely be interested to see what you write.
|Date:||July 19th, 2006 08:32 am (UTC)|| |
Thanks. I'm definitely leaning in the direction of your answers. It is reassuring that you are one of the few people on my flist actually qualified to give advice on security research.
As for things being fixed only on the test site, it's (imho) unethical to discover that, because you'd have had to try an exploit on the main site, which was not in the scope of the challenge. Permission was granted to bang on only the test server, afaik. But I think I can assume security bugfixes were applied to the test site and then to the main site within a day of the changes having appeared in public CVS / SVN. The bugs I'm calling "fixed" ought to be unambiguously dead at this point.
Oh, right, good point. In that case, I think you're right, you've got every reason to believe that "fixed" means fixed.