On 7/24/07, Fabio Pietrosanti (naif) <[EMAIL PROTECTED]> wrote: > I have no time to write a detailed post on the issues related with the > guys that are recently releasing bugs of web services. > > I would like someone analyze the implications, differences in terms of > community advantages, people risks, technology enhancements related with > the disclosure of vulnerabilities of web services (misc websites of > railways, internet providers, public agencies, search engines and > webmails) VS the disclosure of vulnerabilities in standalone pieces of > software. > > I don't like the public disclosure of XSSs and SQL Injections (and stuff > like that) on third party web sites, i don't consider it useful for > anyone, too risky for the 'researcher' and too risky for the third party > websites. > > Only in July there was a storm of fucking websites vulnerabilities > announcements: > > - http://seclists.org/fulldisclosure/2007/Jul/0457.html TRENITALIA.COM > - http://seclists.org/fulldisclosure/2007/Jul/0460.html STATCOUNTER.COM > - http://seclists.org/fulldisclosure/2007/Jul/0437.html ACTUAL TESTS > - http://seclists.org/fulldisclosure/2007/Jul/0296.html ORKUT > - http://seclists.org/fulldisclosure/2007/Jul/0187.html Wachovia Bank > - http://seclists.org/fulldisclosure/2007/Jul/0035.html blinzzard.com > - http://seclists.org/fulldisclosure/2007/Jul/0036.html WORLDOFWARCRAFT.COM > > Hey guys, do you feel yourself cooler than before, now? >
Feel free to edit at will for your own definition... http://en.wikipedia.org/wiki/Full_disclosure "Full disclosure requires that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it. The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. Fixes are produced faster because vendors and authors are forced to respond in order to save face. Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced. "In the realm of computer vulnerabilities, disclosure is often achieved via mailing lists such as Bugtraq and full disclosure by other means." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
