What to do if you find a security problem in your browser
Saturday, 11. June 2005, 13:56:11
Do you want to research and uncover browser security holes? Great! Go ahead, the web will be a better and safer place because of your efforts. And trust me, there are problems waiting to be discovered...
However, there are some un-written rules of security research that are worth keeping in mind. Most important of them is to remember to contact the product vendor before publishing the problem anywhere, and wait for their response.
Why is this so important?
Well, first and foremostly it may prevent malicious coders from learning about an exploit before the vendor has a patch that will protect the users.
Secondly, it will boost your status as a security researcher. Browser vendors - be it Opera, Mozilla or Microsoft - appreciate your help in finding security problems. They will acknowledge your help in their security advisories if you approach them about a problem and don't make it public until a fix is available. That again gives you name recognition and professional attention.
Finally, waiting for vendor response will also make you sure that what you found actually is a security problem. Many problems and bugs are not security issues. If it isn't a security problem and you have made it public, you just demonstrated that you are not a professional researcher, and you end up looking silly in public. Don't.
<http://news.com.com/2061-10789_3-5739734.html>
However, there are some un-written rules of security research that are worth keeping in mind. Most important of them is to remember to contact the product vendor before publishing the problem anywhere, and wait for their response.
Why is this so important?
Well, first and foremostly it may prevent malicious coders from learning about an exploit before the vendor has a patch that will protect the users.
Secondly, it will boost your status as a security researcher. Browser vendors - be it Opera, Mozilla or Microsoft - appreciate your help in finding security problems. They will acknowledge your help in their security advisories if you approach them about a problem and don't make it public until a fix is available. That again gives you name recognition and professional attention.
Finally, waiting for vendor response will also make you sure that what you found actually is a security problem. Many problems and bugs are not security issues. If it isn't a security problem and you have made it public, you just demonstrated that you are not a professional researcher, and you end up looking silly in public. Don't.
<http://news.com.com/2061-10789_3-5739734.html>
WIDGETIZE
qicai02 # 30. May 2006, 08:07