[development] Irresponsible security researcher

Michael Prasuhn mike at mikeyp.net
Wed May 13 21:16:37 UTC 2009

On May 13, 2009, at 8:01 AM, Greg Knaddison wrote:
> The specific SA where Justin did not get credit was another situation
> of making a compromise: the "vulnerability" was disclosed and nobody
> on the team felt it was important enough to fix personally.  Justin
> and his employer were unwilling to allocate their resources to fix it.
> So, given that public disclosure had occurred and that the security
> team wasn't going to fix it and that we wanted to respond in a timely
> manner...we did a "public service announcement" reminding people that
> admin means admin.

While I'm not on the security team, I would like to point out that  
Justin was also not the only person to report a possible XSS  
vulnerability resulting from the 'administer content types' permission  
prior to SA-CORE-2009-002 ;)


* Please don't interpret this as my attempt to receive credit or any  
such thing. The thought of attempting to receive credit for such an  
obvious and commonly reported issue hadn't even crossed my mind until  

Michael Prasuhn
mike at mikeyp.net

More information about the development mailing list