A note on finding and reporting vulnerabilities.

Yesterday I found an XSS vulnerability in the Blog4Umbraco package, and after I'd found it I did what I thought was right. I documented the vulnerability, and the solution,and posted it on the forum at Our Umbraco. At first glance, that might seem right. However, I've now had time to consider the approach properly.

I tweeted my findings, and after a few minutes I got a mail from Umbraco Founder Niels Hartvig, saying that he would've loved a heads-up before I posted. Yeah, I should've given him that. My post may have been informing and all, but giving the Umbraco team a heads-up would've made sure that a solution was made re-distributable from them, instead of having developers finding the solution - if they were looking - on their own.

The next time I find a vulnerability, I know the order of things.

  1. Document the vulnerability.
  2. Notify the distributor.
  3. Wait for a fix, and an OK to publish.
  4. Publish.

But what I want to know is, where's my piece of flare? :)

This entry was written by Stephan Kvart, posted on Wednesday, January 27, 2010 Bookmark the permalink. Follow any comments here with the RSS feed for this post. You can post a comment.
blog comments powered by Disqus