Reporting Security Holes
With Russ's latest blog post came links to a few articles dealing with the recently exposed American Express XSS holes. In short, AmEx dealt with it badly- ignoring Russ's three attempts to contact them and only fixing the issue when it got posted publicly (after their PR watchdogs brought the post to their attention).
One of the more interesting articles was at BetaNews. Please read it.
I don't think that AmEx's web developers read my blog (at least I haven't seen many related IPs pop up in my logs), but maybe they should. Their primary excuse for not fixing the flaw is that it didn't get to the right people.
Now, exactly whose fault is that?
I wrote a few months ago, in my "Open Letter to The Internet" that website owners need to make it painless to report security issues. If they don't provide a simple process for doing so, I have a hard time feeling sorry for them. Russ's goal was to get the bug fixed, and contacting the company didn't do it. Once he posted it publicly, people actually started caring. (Unfortunately, the fix only lasted a day before getting broken by two more researchers, which makes me think that AmEx's programmers are inept to begin with).
Russ made a good-faith attempt to contact the company not one, but three times. He sent messages to two different entities and gave them two weeks to respond. If it had been me reporting the bugs, I certainly wouldn't have given them that much effort unless I was on their payroll.
As I wrote back in August, "We are here to help, but we aren't necessarily here to help you."
One of the more interesting articles was at BetaNews. Please read it.
I don't think that AmEx's web developers read my blog (at least I haven't seen many related IPs pop up in my logs), but maybe they should. Their primary excuse for not fixing the flaw is that it didn't get to the right people.
Now, exactly whose fault is that?
I wrote a few months ago, in my "Open Letter to The Internet" that website owners need to make it painless to report security issues. If they don't provide a simple process for doing so, I have a hard time feeling sorry for them. Russ's goal was to get the bug fixed, and contacting the company didn't do it. Once he posted it publicly, people actually started caring. (Unfortunately, the fix only lasted a day before getting broken by two more researchers, which makes me think that AmEx's programmers are inept to begin with).
Russ made a good-faith attempt to contact the company not one, but three times. He sent messages to two different entities and gave them two weeks to respond. If it had been me reporting the bugs, I certainly wouldn't have given them that much effort unless I was on their payroll.
As I wrote back in August, "We are here to help, but we aren't necessarily here to help you."
Labels: American Express, Full Disclosure, Russ McRee, Visa
posted by mckt at
1:28 PM
0 Comments:
Post a Comment
<< Home