[nbpoole]

The full quote from Rick Ross is "I am grateful that Ben Newman and Albert Sheu of Quora have identified a (now fixed) XSS vulnerability in our test site, but I am surprised that Quora policy permits developers to engage so openly in vandalizing other people's websites." which is slightly nicer than that article makes it sound.

Personally, I think the Quora engineers involved made some poor decisions. Anyone who looks for security vulnerabilities on websites they don't own or control is on shaky legal footing (there are exceptions: Google, Mozilla, Facebook, and a few other companies provide systems for the responsible disclosure of vulnerabilities). However, publicly disclosing vulnerabilities on a competitor's website (and making your proof of concept mildly malicious) is never going to work out well for anyone: it makes your company look like a bully and exposes you to potential legal ramifications.

[dacort]

As a former web application security guy, and now developer, identifying and disclosing vulnerabilities on websites is still very much a troubled area. Most companies don't have proper security@ email addresses set up or monitored, and still don't take kindly to vulns being reported.

That said, publicly disclosing a flaw in addition to defacing the website, even temporarily, is certainly not a classy way to go about it.

[rokhayakebe]

Or exposes you to a group of individuals who will want to make you regret showing off.