About the Author

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

All Posts for Nov 2007

Skip This Section and Jump to the Main Content

2003
2004
2005
2006
2007
2008
2009
2010

'03:: All; Aug; Sep; Oct; Nov; Dec

'04:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'05:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'06:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'07:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'08:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'09:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'10:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug

PayPal Groks Security?

Wed, 21 Nov 2007 21:48:21 GMT
2 Comments
References
Link

Via Jeremiah, I see that PayPal's new vulnerability disclosure policy includes an amnesty clause for well-intentioned security researchers:

To encourage responsible disclosure, we commit that - if we conclude that a disclosure respects and meets all the guidelines outlined below - we will not bring a private action or refer a matter for public inquiry.

Their guidelines include some subjective language, so I'm not sure how much protection this policy actually offers. (Any lawyers want to clarify?) Here they are:

Share the security issue with us before making it public on message boards, mailing lists, and other forums.
Allow us reasonable time to respond to the issue before disclosing it publicly.
Provide full details of the security issue.

PayPal also describes what not to do:

Potential or actual denial of service of PayPal applications and systems.
Use of an exploit to view data without authorization, or corruption of data.
Requests for direct compensation for the reporting of security issues either to PayPal, or through any external marketplace for vulnerabilities, whether black-market or otherwise.

If you're like me, some questions come to mind. How much time is reasonable? Since data can be anything, how do we know if we view data without authorization? Don't most people assume they're authorized to view something if they're allowed to view it? Does intent matter?

Questions aside, here's hoping this is a genuine attempt to do the right thing. Thanks, PayPal.

To my fellow Americans, have a wonderful Thanksgiving holiday! To everyone else, have a nice rest of the week. :-)

Remember, Remember

Mon, 05 Nov 2007 20:32:39 GMT
0 Comments
References
Link

The 5th of November. Just kidding. No, remember tonight's PHP Meetup, starring Andrew van der Stock of OWASP:

Andrew van der Stock, Executive Director of OWASP (Open Web Application Security Project) will be speaking about upgrading the security of old legacy PHP code and bringing it up to date using best practices.

Please RSVP if you plan to attend, because we want to have enough pizza and drinks available. (If you don't want to sign up on yet another web site, you can also contact me directly.)

If you can't make tonight's meetup, I hope to see you at the DC PHP Conference later this week.

Hope your week is off to a great start. :-)

Upcoming Events

Brooklyn Beta

21 - 22 Oct 2010

At The Invisible Dog, Brooklyn, New York.

New Comments

Mario Arroyo wrote:: The article is really very good and the users comments and external links to another articles jus...; Posted in
Raphael Almeida wrote:: I realy like hiphop music, but this is very crazy! We'll use it in user group PHP conference at ...; Posted in PHP Anthem
Mal wrote:: Having used smarty for many years, this has never been a problem for me, but after building a web...; Posted in PHP Stripping Newlines
Satya wrote:: Thanks for the info. I have posted the news here on my page: http://www.facebook.com/pages/Web-Sc...; Posted in PHP Anthem
John wrote:: Oh, you need to press "save your password".; Posted in Mozilla Account Manager