Paid Advertising is
ha.ckers sla.cking
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Contacting support...
Posted by: Dave
Date: August 26, 2006 01:00PM

Do you contact the "maintainer" and wait 5days before you publish a found sec issues?
I noticed that most companies that didn't answer after 1 day, they won't do in the following days. I don't understand why they don't answer, do they think "wow, he can change the font color." or what? I could also exploit the issue instead of writing mails, so I want to get an response at least.
Is XSS still not seen as a serious security issue?
What do you add to your mails, short explanation what can be done with xss or links to information pages?

Options: ReplyQuote
Re: Contacting support...
Posted by: Girzi
Date: August 26, 2006 01:24PM

Well for an reflecting XSS most of the time they d'ont answer cause cause you can't do damage immediately on the site. You need to exploit so else. I mean a click or something else...
But for Permanent XSS you can do BIIIIG dammage =) Usually they answer.
For reflecting xss usally I just d'ont contact them...

Options: ReplyQuote
Re: Contacting support...
Posted by: alf
Date: September 29, 2006 09:33AM

Some time ago i found XSS + SQLinjection on the homepage of a big airport which also provided services like "book your flight online" etc. i wrote a mail adressed to the responsible person for this page, that was 6 months ago. no reaction.
that pisses me of sometimes ^^

cheers alf

Options: ReplyQuote

Sorry, only registered users may post in this forum.