IT Security and other mattersHome - Profile - Archives - Friends - RSS Feed |
|
PayPal Vulnerability Disclosure statement.
- Posted at 9:58 AM on 11/26/2007 by GenesysWave Had some interesting reading over the weekend thanks to my friend Don and Jeremiah Grossman I anticipate that there will be some clarification forthcoming from PayPal regarding certain parts of their Vulnerability Disclosure Policy Specifically the "reasonable time" statement. I am going to play devil's advocate on this a bit. What is reasonable to me, may not be reasonable to someone else. Is PayPal going to set up this time frame with the researcher when the disclosure is made? Will it be a flexible time frame based on how PayPal is able to respond to something? What happens if someone else independently discovers and discloses the same vulnerability, what "proof" will the researcher need to provide to PayPal that they were not the one who disclosed the information. These have probably been discussed internally at PayPal already and the intent of the statement was to provide a declaration that PayPal was willing to work with researchers and not supposed to be the final word on disclosure. If you have any thoughts on this, please join the discussion on the Security Catalyst forums at http://www.securitycatalyst.org Be safe James |
| Last Page :: Next Page |
| Login | Browse Blog Directory | Free Blog Hosting | |
| Web Hosting | 3GP | Pakistani Music | Mobile Videos | Alojamiento Web | |