blogrolling.com had a security vulnerability. It was disclosed on someone's blog.
Not only did this person decide to dislcose the issue at the same time
it notified blogrolling.com (which is now part of Tucows), but they
decided to explain how to exploit it and even suggested certain blogs
As I commented, a good reference for disclosing security vulnerabilities would be RFP's.
anyone who reads my posts or knows me would know, I am a supporter of
Tucows. I know they would have fixed this ASAP, regardless of the
impact and public disclosure. That's just the way they are. I can
understand why Ross is upset.
If more companies were like them, we'd have fewer instances of viruses,
trojans, and malware and disclosure wouldn't be a hot button.
said that, this is an amateur coding mistake. I would assume that due
dilligence when acquiring a technology product/company would include a
code audit and this would have been caught. Regardless, the code should
have been reviewed after the purchase and this should have been found.
I'm not trying to knock Jason. He created a great product and offered
it for free.