[Full-disclosure] XSS at Citibank.co.uk
jnduncan at cisco.com
Sun Aug 14 06:56:09 BST 2005
Andrew Smtih writes:
> Anyway, I informed citibank through e-mail (no response), posted it on my
> blog (no response, no fix..) and now I'll post it here.
> I've had luck on FD in contacting BankOfAmerica employees in the past, so
> maybe there are a few Citibank admins listening? Let's hope so.
While any method of contact is better than none, may I suggest you check
the list of FIRST teams at http://www.first.org/ before posting
publicly? While I can't guarantee any given organization will be a
member -- nor can I guarantee a response to the given address --
Citigroup is a long-time member of FIRST, and their first-team members
have demonstrated excellent responsiveness in the past.
The direct link is http://www.first.org/about/organization/teams/. The
address to reach Citigroup's response team is first.team at citigroup.com.
Additionally, for the general benefit of Full Disclosure readers, the US
National Infrastructure Advisory Council (NIAC) Vulnerability Disclosure
Framework (VDF) documents a standard URL for identifying how to report
security issues, whether cyber or physical, into an organization.
Please consider checking http://www.example.com/security/ (the "slash
security" page) in addition to other methods you might use.
I would consider it a personal favor (in addition to the obvious benefit
to the security of The Net) if you and the other readers of the Full
Disclosure list would encourage wider adoption of this standard.
Details are available in the official NIAC VDF report:
The standard is designed to be appropriate for _any_ web site, whether
internal or external to an organization. The primary function is to
show how to report a security issue _into_ an organization, and the
secondary function is to show how to receive security information _from_
an organization. The tertiary function, if present, documents any other
security information relevant to the site. To quote Steve Bellovin,
following a presentation I made on this topic at a NANOG Security BoF
session, "This is important. Everybody should do this."
As a principal co-author of the report, I welcome any comments or
questions you or the other readers might have.
FIRST Steering Committee Member and FIRST.Org, Inc., Board of Directors
Jim Duncan, jnduncan at cisco.com, +1 919 392 6209
Critical Infrastructure Assurance Group, Cisco Systems, Inc.
Group URL: http://cisco.com/security_services/ciag/.
PGP: DSS 4096/1024 E09E EA55 DA28 1399 75EB D6A2 7092 9A9C 6DC3 1821
Full-Disclosure is hosted and sponsored by Secunia.