

So You Just Received A Vulnerability Report. Now What? - hoop
http://www.charleshooper.net/blog/so-you-just-received-a-vulnerability-report-now-what/

======
onteria
Also if you do get a report, it would be a good idea to keep an eye on the
bugtraq and full disclosure mailing lists:

<http://seclists.org/>

where many vulnerabilities are released to the public. This is in case the
reporter goes public without you knowing it.

Also it's a good idea to look the list over and see what types of
vulnerabilities are hitting applications. Don't just fix a single reported
exploit and call it a day. Find out what else could be wrong security wise
with your code and fix those issues as well.

~~~
hoop
Excellent point, onteria. To further your suggestion, if it's reported that
some of your user-input variables aren't being escaped then you better check
the rest of the unreported ones, too. And not just in that single
file/controller/view/whatever! (EDIT: Or whatever the root-cause of the
vulnerability is)

