@David RE support site: Interesting. Very interesting.

I haven't seen much discussion on the list about this. Maybe I need to pay
better attention.

@Dan yes I am aware of OWASP. It's one of the sites I frequent.

RE disclosure: I contact the vendors directly via email or phone, and keep
the initial email communication between myself, my supervisor (so they are
aware), and the vendor. I make myself available if they have questions, but
it's a careful line.

I am sitting on one CSFR I found today. My last interaction with this
vendor did not go over as anticipated so I'm trying to determine the best
approach with this one.

On Mon, Mar 5, 2012 at 5:39 PM, Dan Scott <[log in to unmask]> wrote:

> I don't think these issues differ much from applications for any other
> domain; thus the existence of OWASP etc to try and educate developers about
> common flaws in web applications and how to avoid creating them.
> What sort of disclosure method are you following (if any) for
> vulnerabilities that you have found? For Evergreen, our university
> consortium hired a security consultant to pen test the version of Evergreen
> we had installed at the time, and we followed Evergreen's disclosure
> process to address the relatively minor exposures that turned up. Of
> course, lots of new code has been written since then, so there are
> opportunities for new vulnerabilities to come into being.
> Dan
> >>> Erin Germ <[log in to unmask]> 3/5/2012 11:11 AM >>>
> I've been investigating several library software solutions and I have some
> serious concerns - ability to access restricted content/pages, ability to
> inject content into pages, ability to perform CSFRs, etc... Those examples
> and others I've not shared raise concern for me. I'm coming from three
> different perspectives: protection of user and system/solution stored data,
> the ability to use the system/solution to exploit the organization, and the
> ability to use the system/solution to infect user devices.
> Is there a focus group within C4L that discusses and investigates such
> matters? I've been doing investigations and research on my own, and I would
> be interested in working with others.
> V/R
> Erin