Hacker News new | past | comments | ask | show | jobs | submit login

They should be able to look at their database to determine if anyone else has has used this method to inject arbitrary html into a page in the past.

They should then put up a notice on their website to describe what happened, describe how they confirmed that this flaw hasn't been exploited previously, and describe what measures they will take in future to prevent this sort of problem.

In my opinion, that is how a "good", company would react. Anything less would be a disappointment.




     |In my opinion, that is how a "good", company would react.
This is (more or less) how Github has reacted to security issues in the past. However, at the moment this seems to be a fairly small exploit, that wasn't aggressively used by any would-be exploiters. I definitely don't think github should put up a notice for this.

Would you really want to be alerted every time a website you used closed a minor security hole, that had possibly never even affected anyone? They absolutely should, if any user information was leaked, or if there was downtime involved, but you honestly do not need to keep informing users about this sort of mundane security update. At best, I would suggest it go on their blog.

Not reporting "oh we found an xss hole that maybe one or two people had used before." is NOT a disappointment.


> that wasn't aggressively used by any would-be exploiters.

Doesn't matter. A response shouldn't be measured according to how widely a security hole was exploited, it should always be responded to with full information and transparency.


I expect good software developers to report all buffer overflows that they fix, regardless of whether or not they know of any active exploits. So yes, I expect good website admins to do the same with XSS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: