I recently read on reddit.com about a 17 year old kid to discovered a cross site scripting attack (XSS) on the PayPal script. The XSS attacks takes advantage of a small amount of javascript to provide the exploit. The 17 year old German who discovered the exploit provided the exploit to PayPal as part of their bounty program however was denied because they are 17 and the minimum age to participate in the bounty program is 18. As a result the 0 day has been released to the public http://seclists.org/fulldisclosure/2013/May/163.
The purpose of this post is not specifically related to the 0 day but more of a ethical discussion on releasing exploits. I personally believe that it's perfectly acceptable for security researchers to release exploits they uncover through various security channels. However, I think that the most important part is that the organization who is affected by the 0 day is given an appropriate amount of time to fix the exploit before it's released. If for example doesn't want help as in the example of PayPal then the community has a responsibility to release the exploit so that the community is aware.
No comments:
Post a Comment