RE: [WEB SECURITY] Disclosure for Web Applications

["txs" <txs@xxxxxxxxxxxxxx>]

Dennis said:
"And this is a perfect example Jeremiah of why I think that education is so
important - how about notifying both the ftp company and the user of the ftp
program in question? because of liability? The problem seems to be that our
society has become way to litigeous to do the right thing anymore. If you
help somebody in a car accident and the person dies the family sues you for
wrongful death...

So what do we do?  Kill all the lawyers. ;-)"

----

I would certainly agree that notification of both the ftp company and the
users of the ftp program is responsible and education is paramount, however
the issue comes in the form of: I can't legally test the ftpd on the remote
site without permission. That would be considered illegal (in most
countries). If I could install the ftpd locally and find the vuln.. rock on.


Otherwise nobody can legally discover problems in the target environment
(read any web site) and we get into a very sticky catch-22. I can't legally
find the vulnerabilities, and I can't legally disclose them. So vulnerable
websites are destined to (legally anyhow) stay that way. I don't know about
you, but that says to me that the state of security will steadily decline
the more lines of code that are created.

PS: I second your notion of killing all of the lawyers. Especially the ones
that put security researchers in jail! :)

Cheers

--txs



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]