undefined | Better HN

0 pointsdurin4215y ago0 comments

That actually sounds like an awful way to report an XSS. Honestly, as someone that maintains a web service I have to say I'd prefer private disclosure than even the rickroll approach. All it takes is one "genius" doing some copy-paste action and then you're in a world of hurt and damage control.

0 comments

3 comments · 1 top-level

mike-cardwell15y ago· 2 in thread

Regarding this and the other response to me. I would never do what I described. I was just trying to demonstrate to those that don't understand XSS properly, that these issues are serious. I don't think a Rick Rolling really gets that issue across.

If I do an XSS attack against you on github whilst you are logged in, I can compromise all of your source repositories, your code, and in turn, potentially compromise the systems of your users.

durin42OP15y ago

End-users aren't who you need to tell. Just site owners. Posting this to HN before it was fixed constitutes (IMO) completely irresponsible disclosure.

mike-cardwell15y ago

I agree. I would not have disclosed this particular XSS flaw until after it was fixed.

1 more reply

j / k navigate · click thread line to collapse