This is just a quick update about the story I posted last week regarding a nice security hole in a major Internet Site. The tech support there have actually been really, really great in working with me to fix this problem. They emailed me an intial "Hey we got your report" the day I sent it out, and later this email I'm sharing with you. I initially expected to lose that account (and at one point today, I kinda wish I had), but so far it hasn't been locked or damaged in any way that I can see. I got en email from them that I'd like to share as an example of doing things the right way.

Hi {Name},

We are aware of the issue that you described, and we will look into some possible solutions that won't disrupt page load times and general site performance. Thanks again, we appreciate the email and the blog post.

Thanks,

{Name}
{Title}
{Site}

I fully expected something more along the lines of a Cease and Desist letter, as I've got quite a few friends who managed to procur those from simply pointing out insecurities. Apparently some corporations feel the correct response to an academic report of a bug on their site is the same response one would use for a malicious hacker attempting to exploit their site. This company, however, was different and literally turned my perspective around. I really, really did not like them for a variety of reasons (mainly revolving around security) but after this they get an A in my book.

Bottom line: No code is flawless, its how you deal with the bug reports that sets your site apart, not how perfect you can make it in the first place.

These guys got it, and once the issue is resolved I might even put their name up here (with their permission) and support them openly because too few companies are that willing to accept criticism and security hole reports.

Share and Enjoy:
  • Slashdot
  • del.icio.us
  • digg
  • Technorati
  • Facebook