Monday, December 28, 2009

Security Disclosure Policies That Remove Chilling Effects

As I have discussed before, PayPal has published a vulnerability disclosure policy that attempts to remove chilling effects for researchers wishing to responsibly disclose a security vulnerability. Until today I thought that PayPal and Microsoft were alone in having policies that explicitly gave security waivers to security researchers who practiced responsible disclosure.

I was informed of one, and discovered another example of a similar policy and I'm proud to say there are now several more policies like PayPal's:
If anyone knows of others, please let me know as I'd going to try to keep a running list.

Friday, December 18, 2009

Best Security Improvements in 2009?

Taking a cue from Jeremiah's list of new 2009 hacking techniques I thought I'd start a list of best improvements in security in 2009.

So far I haven't come up with many substantial improvements, but I do have a starter list in no particular.
[Updated list based on Jeremiah's recommendations]
  1. IE8 removed CSS expressions support
  2. Rails now does output escaping by default?
  3. The new STS header.
  4. Firefox checks for updates to plugins
  5. Mozilla Content Security Policy (CSP)
  6. Microsoft IE8 X-Frame-Options anti-framing header

Your recommendations welcomed.