"ap: What policy to apply in the case of public site vulnerability research? Should the researcher avoid it completely, apply the rfpolicy or the full-disclosure way is viable too?
rfp: Funny, because I was just mulling this over recently. It’s one thing to have a security problem in something you control, such as a device or a piece of software installed locally. There’s the potential for you to enact a workaround or introduce another mitigating control.
Public websites are another matter. The only one who can fix the problem is typically the web site. There’s no mitigating strategy users can usually do other than forego use of the site. You think everyone is going to cease to use MySpace because they have an XSS hole? No way.
So thinking that it’s better to tell the world about a security problem in a public site than to tell the site owners is being part of the problem, and not the solution. Again, full disclosure is a tool, and is a worst-case/last-ditch scenario after all else fails."
So, WHAT is the solution then? Does ANYBODY know?