In the case of open source platforms, like AJAX, formal vulnerability disclosure protocols do not exist. However, customers do have access to the source code so they are able to take immediate corrective action without having to depend on the platform provider for patches. In this case we believe the best course of action for protecting customers is to inform them publicly as soon as we can provide both information about the vulnerability and a recommended mitigation techniques. This arms organizations with the knowledge they need to take preventive measures and secure vulnerable applications. In the case of the DWR vulnerability, which is very straightforward and does not require any special tools to exploit, this approach benefits programmers who are responsible for securing their applications, not attackers. That's because the nature of this vulnerability is so simple to exploit that its is likely hackers are aware or will soon become aware of it independent of any public disclosure.


What is, in your opinion, the biggest challenge in protecting the huge amount of personal information stored in many Web 2.0 services?

From our perspective, Web 2.0 is in essence "collaboration in an untrusted environment". The Web 2.0 environment allows many individuals to separately manage their own territory on a shared server (e.g. personalization), while sharing a multitude of content formats. This creates a lot of opportunities for malicious individuals to extend their reach beyond their personal space on the server and distribute malicious content using a multitude of potentially vulnerable formats. All of this is of course achieved through an interface with rapidly growing complexity (AJAX based GUI using cool widgets and mashups). This openness and complex mix of technologies is what makes securing Web 2.0 services such a big challenge.