I am not suggesting exposing zero days. I only want known vulnerabilities in applications like web goat etc that are known to everyone. I don't even plan on naming where each vulnerability comes from but rather instead change the code to protect the innocent. I would never encourage promoting sharing zero days. I hope this clears it up.
Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy <mailto:mparsons1...@gmail.com> mailto:mparsons1...@gmail.com <http://www.parsonsisconsulting.com> http://www.parsonsisconsulting.com <http://www.o2-ounceopen.com/o2-power-users/> http://www.o2-ounceopen.com/o2-power-users/ <http://www.linkedin.com/in/parsonsconsulting> http://www.linkedin.com/in/parsonsconsulting <http://parsonsisconsulting.blogspot.com/> http://parsonsisconsulting.blogspot.com/ <http://www.vimeo.com/8939668> http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled From: Arshan Dabirsiaghi [mailto:arshan.dabirsia...@aspectsecurity.com] Sent: Tuesday, March 16, 2010 2:49 PM To: McGovern, James F. (P+C Technology); Matt Parsons; owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: RE: [WEB SECURITY] RE: [SC-L] blog post and open source vulnerabilities to blog about I'm not sure Matt was suggesting burning sharing 0days, but if he was, I think he should not be discouraged. I think disclosure preference should be something like a "protected class" within OWASP. Arshan From: McGovern, James F. (P+C Technology) [mailto:james.mcgov...@thehartford.com] Sent: Tuesday, March 16, 2010 2:36 PM To: Matt Parsons; owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: [WEB SECURITY] RE: [SC-L] blog post and open source vulnerabilities to blog about This doesn't feel like responsible disclosure and is not the way to announce weaknesses in software. It is best to deal with scenarios that have already been addressed. _____ From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Matt Parsons Sent: Tuesday, March 16, 2010 11:41 AM To: owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: [SC-L] blog post and open source vulnerabilities to blog about Hello, I am working on a software security blog and I am trying to find open source vulnerabilities to present and share. Does anyone else have any open source vulnerabilities that they could share and talk about? I think this could be the best way to learn in the open source community about security. I have a few but I would like to blog about a different piece of code almost every day. God Bless. Matt http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************
<<image003.jpg>>
<<image004.jpg>>
<<image005.jpg>>
<<image006.jpg>>
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
