

What is the process for submitting a Zero Day vulnerability? - JungleCats

Hey there guys,<p>I've found a Zero Day vulnerability (Just URI XSS) though it is affecting anywhere in the range of ~6M websites (according to Google).<p>I was wondering what the process I should follow is. (Report to vendor, wait for them to update software then disclose?)<p>I also was wondering the legality of this, am I likely to get into any kind of trouble here?<p>~JungleCats
======
netcorps
You could read up on <http://en.wikipedia.org/wiki/Responsible_disclosure>

Preferrably contact the vendor directly without publishing your findings
online. Give them time to fix the issue. If they do not react and you feel
there is a great danger if you do not disclose the existence of this
vulnerability, publish it.

~~~
JungleCats
Hey there netcorps,

Thanks for the reply. I think that's the way I'll go about it.

Much appreciated!

------
merinid
Watch out. Each vendor / website has processes you may want to follow. You
could also get in touch with <http://www.us-cert.gov/>. They are helpful in
providing advice and guidance.

~~~
JungleCats
I appreciate the reply, I'll be sure to bookmark the link.

