Vulnerability Reporting in a Web 2.0 World
Dave G. | May 25th, 2007 | Filed Under: Disclosure
I reported a vulnerability on a website developed by a popular Web 2.0 company. As it happens, we are a paying customer, so I really want them to take it seriously.
I will now post an anonymized version of the conversation:
Step #1: I send in a vulnerability report. I explain the vulnerability in a concise email and include repro steps.
They reply:
Thanks for the tip, David. It’s been noted.
I reply:
Can you give me some guidance on your response guidelines to security vulnerabilities? Is there a timeframe that you try and have vulnerabilities fixed by?
They reply:
Hi David,We’re always looking for new ideas and fixes to roll out in future updates but as as rule we don’t comment on possibilities or timeframes.
I reply:
How will I know when this vulnerability is fixed?
They reply:
Actually, they don’t reply at all.


Add New Comment
Viewing 14 Comments
Thanks. Your comment is awaiting approval by a moderator.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Add New Comment
Trackbacks