[VIM] r0t is back - who's running the betting pool?

security curmudgeon jericho at attrition.org
Tue Mar 28 00:20:27 EST 2006


: OK, so us vuln DBs know that r0t is apparently back.  Anybody want to
: run the betting pool?
: 
: 1) When will we see the first vendor dispute in which the vendor
:    doesn't actually understand XSS and needs to be educated?

I'll put down a dollar on 48 hours from the first flood (last night to 
today) since his return. The handful before today didn't count =)

: 2) When will we see the first vendor dispute in which the vendor
:    claims that the reported SQL injection isn't a problem and we can't
:    prove that it's nothing more than a forced invalid SQL because r0t
:    used a ' and nothing else?

I'll take 48 hours on that too. I'd take less but he tends to find them in 
smaller packages where the devs don't seem to be camping their email like 
we do.

: 3) When will the first threatened lawsuit take place and how quickly
:    will the vendor retract it once proven wrong?

NOT SOON ENOUGH

: 4) When will we see an issue for a live site or service provider that
:    theoretically should not be included in vdb's based on editorial
:    policy but gets included anyway 'cause we're drowning in the
:    volume?

This one is hard to say but definitely a concern given so many researchers 
using the online demo to test. Hell, while looking around some different 
software packages, I was trying out demos to see functionality, and 
invariably found myself testing for simple XSS to gauge if they had 
considered security. =)

: And I'll buy a beer for anyone who's willing to write a generic "so, a 
: 14 year old has reported a blatantly obvious XSS or SQL injection vuln 
: in your product and you want to sue us" FAQ.

That beer is mine sir. Next legal threat any of us get, forward to VIM 
and i'll write up a FAQ and post it on the blog and here.



More information about the VIM mailing list