You may have noticed it's been a while since I posted anything here.… - Alierak — LiveJournal
|Date:||July 19th, 2006 08:32 am (UTC)|| |
Thanks. I'm definitely leaning in the direction of your answers. It is reassuring that you are one of the few people on my flist actually qualified to give advice on security research.
As for things being fixed only on the test site, it's (imho) unethical to discover that, because you'd have had to try an exploit on the main site, which was not in the scope of the challenge. Permission was granted to bang on only the test server, afaik. But I think I can assume security bugfixes were applied to the test site and then to the main site within a day of the changes having appeared in public CVS / SVN. The bugs I'm calling "fixed" ought to be unambiguously dead at this point.
Oh, right, good point. In that case, I think you're right, you've got every reason to believe that "fixed" means fixed.