Month of MySpace Bugs Begins in April
The month of bug’s syndrome extends its reach into MySpace starting in April. The question is, will newscorp listen.
PC World is breaking the news today about the Month of MySpace bugs:
The MySpace hackers launched their project late Thursday expressing simultaneous enthusiasm and disdain for the task ahead. "If it ends up being just as lame as the Month of Apple Bugs, then we haven’t really missed the mark. If it’s funnier, then great," they wrote on their project’s blog. "If it kills this Month of Whatever fad, then hurray for everyone, it’s over."
They intend to primarily publish cross site scripting bugs, which can allow an attacker to execute malicious script within a victim’s browser, but they may also publish bugs that affect browsers or technologies like Flash or QuickTime. Source: PC World
On the hackers web site here they state:
While heap overflows and format strings and integer wraps are great and everything, we don’t intend to have too many "real" bugs. Most of what we intend to publish are silly XSS/misleading CSS style bugs that Myspace users may actually be able to use for a little while, and that involve only Myspace.com stuff. But in the end, the only requirement is that all bugs posted as part of MOMBY must have an attached PoC that touches Myspace.com, somewhere. So, browser bugs, Flash bugs, QT bugs, all are fine, even though they’re third party. Bugs in myspace skinning services or whatever is ideal, especially if most users would blame Myspace for the problem.
And finally, old bugs are fine, if they have a myspace application (and are unpatched). We will almost certainly recycle, should we come up with applicable techniques that involve teh mypsace. Source MOMBY
The interesting part about this, beyond the Month of Bugs about whatever is that this is increasingly becoming an acceptable way to release bugs onto the internet. The Month of Bugs has been fairly successful in gaining attention to issues where the manufacturer or social grouping has failed to answer or fix bugs for an extended period of time. Or the perception is that the people they report bugs to are no longer listening, or will not fix them.
The use of public "shaming" is becmong a vehical to get companies and groups to respond to issues. That is the most interesting part of the whole process, taking issues into the public realm because there is no other way to make something happen, or attempts to get things fixed have fallen on deaf ears.
Responsible disclosure is meeting public norms and standards when it comes to the security of the people who use the software in question.