[bbastian]

This makes me wonder; how is it appropriate to handle vulnerabilities such as these?

A few months ago, I decided (as an experiment to see how common XSS actually is) to click on random HN links and type "<asdf '\"" into any search bars and look for weird rendering on the page or weird behaviour in the page source. After half an hour, I had five or so exploitable XSS vulnerabilities, two of the more prominent ones being CNN and Newegg. I sent emails to their security-related issue addresses, but they never responded or fixed the issue.

After sending them a couple more emails, I just gave up. But this article makes me wonder, could I have handled the situation better? The thought of releasing a benign-but-scary exploit crossed my mind, b ut I'm uncertain...

[Joakal]

1) Follow their contact us request (Likely an email to the general address) and make a task note in a month to review the correspondence (stateless).

2) If no reply in that timeframe, make a blog post and a recommendation to listen to security reports. Post to HN. Public shame upon them to do two things aforementioned.

I'm happy with this for my projects. I take security reports very seriously and it's the only development priority over cat pictures.

For monetary incentive: Major websites will give a reward for reporting to them.

[cowkingdeluxe]

You're much more likely to get in trouble with the law yourself than gain any benefit out of the situation. IT departments will be quick to blame a "hacker" instead of themselves for the vulnerability.