mailing list archives
Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit
From: n3td3v <xploitable () gmail com>
Date: Sun, 31 Oct 2004 03:22:57 +0000
I feel sorry for all the security pros outside of gmail and google, so
I say the below on behalf of them...
Should the general public be expecting a disclosure of the
vulnerability to security mailing lists once a solution has been
implemented to patch the hole, so other web-based services are aware
of the possibility of the same problem being an issue for them, or
should gmail be keeping everything secret after they patch.
I guess if gmail team did not want to make a public disclosure of the
vulnerability, the gmail folks would send a private e-mail to people
like yahoo, if it was found to be a current issue for other webbased
e-mail services, or in future possibilities.
If none of the above, can we expect the "hacker" to make an
announcement once he has heard back from the vendor that a solution
and patch has been implemented.
If this was a private disclosure, then no one would be asking for a
public announcement of the vulnerability, but since this has been made
into a public, high profile disclosure, is it not right in the public
interest for ethier the "hacker" or gmail team to make the
vulnerability known, after its safe to do so.
Full-Disclosure - We believe in it.