Evil Jim O’Donnell on Nostr: Security question: several months ago I emailed someone about an XSS injection ...
Security question: several months ago I emailed someone about an XSS injection vulnerability in the code that they use to sanitise user-generated content. I got back a ‘we take security seriously’ canned reply, then nothing. The vulnerable library still hasn’t been patched.
What’s the next step, in terms of responsible disclosure? Chase them, or publish the vulnerability publicly?
Published at
2024-12-21 12:49:12Event JSON
{
"id": "c1d5587a53ad33fbe329cca0500bb5975d2b035a730e8595e4cc7754ba765e59",
"pubkey": "68c64ddd9f53d625a5b3358a71def0609a87bf0d6339bbebbc1b9bd0c9a61307",
"created_at": 1734785352,
"kind": 1,
"tags": [
[
"proxy",
"https://mastodon.social/users/eatyourgreens/statuses/113690892841377671",
"activitypub"
]
],
"content": "Security question: several months ago I emailed someone about an XSS injection vulnerability in the code that they use to sanitise user-generated content. I got back a ‘we take security seriously’ canned reply, then nothing. The vulnerable library still hasn’t been patched. \n\nWhat’s the next step, in terms of responsible disclosure? Chase them, or publish the vulnerability publicly?",
"sig": "8b71135a3888bfb3dfed1a4d184218ef3bb2d6f287d3cec535b672dbf7e0fa478c73d7a6701fd49cc7830457ddcc7fae658d1ca6cdad71af5ba3db0949f71863"
}
