[jrockway]

Vandalism is a stupid word to use. I imagine the process went something like this: "I wonder what happens if I add <script>$.fadeOut() as the text of the question" "Oh crap, it worked".

This is called experimentation. If you're in chemistry class and you mess up a lab, you're not accused of vandalizing apparatus... it's simply what happens when you are trying something out. Similarly, when you have a text box on a test website, someone is going to type something in, and if that causes the page to disappear, well... fix the bug and move on.

[nbpoole]

I disagree.

1. There are plenty of proof of concepts you can develop that don't destroy the page.

2. The Quora engineers in question didn't enter stuff into a textbox and leave it alone. They went and publicly disclosed a cross-site scripting vulnerability in a competitor's website.

Edit: Ben deleted his "answer" which disclosed the XSS. However, the comments on the answer are still accessible (for now) if anyone is curious about them: http://www.quora.com/Is-Qato-a-serious-Quora-clone-attempt/a...

Edit 2: Rick Ross posted a comment there I think is worth highlighting.

"In a way, we're grateful to these guys (Ben and Albert) for helping us close a hole. Their method of publicly vandalizing a test site and bragging about it is another matter. A simple email would have sufficed."

[jrockway]

The "ethics" of "full disclosure" are a long-running subject, but many people agree that the technique is fine. Don't shoot the messenger.

[pak]

Your chemistry class example is nonsensical. In class, if there is an opportunity to explore a few things and a mess is made, maybe you would not be blamed. That's usually not how labs are run--you follow a procedure and mixing chemicals with no forethought is a huge safety hazard to everybody in the lab. Neither the "real world" nor the Internet is a place with a mutual agreement between all participants to experiment with each other's property.

Maybe a better example would be going into your neighbor's backyard and testing how readily his shrubbery lights on fire. Oops, it's burning! Tell him to "fix the bug" and move on.

[jrockway]

Maybe a better example would be going into your neighbor's backyard and testing how readily his shrubbery lights on fire. Oops, it's burning! Tell him to "fix the bug" and move on.

No, a better example is going into your backyard, shining a flashlight onto your neighbor's shrubbery, and then having the neighbor complain to you about changing the shrubbery's color from black to green.

The protocol for a shrub is: you shine light on it, it reflects light back. The protocol for a public web service is: you send it an HTTP request, it sends an HTTP response. If you don't want your neighbors to see your shrubbery, build a fence. If you don't want your website to contain arbitrary scripts, don't let users submit arbitrary scripts.

[notahacker]

Let's not forget the Quora engineers are working for what is (in the very loosest sense of the word) a competitor.

If we're doing silly analogies, it's the equivalent of Starbucks sending their staff round to your new cafe with Groupons leaving no coffee or seats for the real customers and then publicly mocking your staff's incompetence in handling the situation. Sure, it's your fault for running the promotion and not buying enough coffee, but you might still consider BigCorp's behaviour a little underhand.