|
|
|
|
|
|
by TeMPOraL
3248 days ago
|
|
|
That seems unreasonable. If I logged in to a service and saw an URL like http://example.com/1234/secret_data, calling them with a report of potential vulnerability would be a waste of their and my time 98% of the time. And there's infinite number of such "potential vulnerabilities" to report, too. Like on HN, I see I can edit my profile description over at https://news.ycombinator.com/user?id=TeMPOraL. I wonder what happens when I change the 'id' param? Better not try out, but call 'dang immediately! Discovering an actual vulnerability in the first place requires doing something that could be considered hacking. |
|
|