Zeroday 01100100011010010

[b] http://alerts.symantec.com/default.asp?RedirectURL=">%alert('XSS')
[b] https://tms.symantec.com/formslogin.asp?">%alert('XSS')
[b] hurm...
[i] bah its just xss
[b] should be ">
[b] yes but it is before login
[b] and isnt this a security minded service?
 it's embarassing if nothing else.
[i] are these internal? or external?
 also very funny !
[j] external
[o] tms is deepsight/threat management system i believe
[i] oh
[i] hahah
[i] nice work ;)
[t] i thought it was internal
[b] deepsight
[b] just got my account this morning
[b] XSS everywhere
[b] I wonder if I sent out a POC to the internal mailing list if I would get fired
[i] only one way to find out!
[d] there's an internal mailing list ?
[s] i think you should just blast it across worldwide GSS like happens when there's a need for staffing
[i] hhehe
[m] make sure to recommend that the ARIS (tm) threatcon be increased to at least 3 also

I lost the timestamps on this particular IRC log but sufficed to say it was after the Symantec acquisition of @stake. I’ve removed peoples handles lest they get in trouble for what is said here. If you are reading this from the security community it might be easy to criticize this. “Who cares about XSS vulnerabilities?” It’s a valid point and one that I’m not ignoring here. If I had evidence of more egregious violations I may be uncomfortable posting them on a public blog. I think even with the minor severity of a XSS vulnerability the underlying issues are the same. Employee [b] found a vulnerability in corporate intellectual property. He found a flaw. It would be the right and just thing for him to report this violation. He felt uncomfortable doing even that.
A read through the RFP disclosure policy gives the average reader an idea of the timeline that has been accepted among most researchers as both responsible and fair. Of course the roles of the “researcher” and the “company” in the RFP policy assume that there is no link. What if the researcher works for the company? Remember that in the US a company can fire any member in it’s employ for nearly any reason. So long as civil rights are not violated the employment of the researcher is fair game.
I would be remiss if I didn’t mention the Yankee Group report “Fear and Loathing in Las Vegas: The Hackers Turn Pro” by Andrew Jaquith. In this report he describes the constant attack that security product companies find themsevles under. Following the report Symantec announced that the @stake team, recently acquired, was already looking into these types of flaws. Most of us in the Cambridge office scratched our heads and muttered when this annoncement came out. No one had heard of this program and in the following weeks nothing was mentioned. If one were to look back through the email archives of the @stake team during this time and the months preceeding it would be interesting to see how many product flaws were found. Many of the researchers, still a bit unhappy with the acquisition, made discoveries in Lotus Notes (the new defacto mailing system by parent company Symantec) and other Symantec related products. It’s unclear how many of these “discoveries” either made it back to their respective companies or ever saw the light of day. It is almost certain that Symantec sits on a mountain (or perhaps it’s a hill) or 0day vulnerabilities discovered by the remaining all stars picked up in the @stake acquisition such as Ollie Whitehouse and Isaac Dawson.