I'm preparing a series of posts where I'm disclosing several security vulnerabilities that I discovered the spring and summer of 2017.
|Published:||Wed, August 9, 2017, 23:00|
Over the years I've discovered so many security holes and information leaks on the Internet. Earlier I've only notified the involved parties, but I think it's time to go public doing "responsible disclosure".
Working with preparing these posts I've asked myself repeatedly if I should go public with my findings or not.
I'm still not entirely sure what the right answer is. What I do know is that I want increased focus on web security and that I feel a social responsibility to do so.
The purpose of posting these vulnerabilities is fivefold:
Hopefully the issues presented on this site can be a small part of getting some kind of discussion on how to deal with computer security and personal data.
While looking for security vulnerabilities I have followed a few simple rules.
The levels of the sensitivity in the information leaks I found vary. They go all the way from "Nah, I don't really care" to "0hly shit, this is not cool". But I think they all represent some unique points in respect of vulnerabilities and in respect of type of personal information.
I'm all for responsible disclosure and have immediately reported my findings. Generally I'm not publishing any details the problem has been confirmed fixed. However, sadly, in some cases there's just no interest or response from the other party.
If you want more thoughts about responsible disclosure I would recommend reading Troy Hunt's site (and maybe especially the video in that link).