As you might have read on my blog, I recently reported a security issue to MySpace. Instead of getting a "thank you for informing us of this problem" (which was all I wanted... I was aiming for MySpace to make their site safer, not for any publicity or anything :P), they deleted my account. The security hole I reported was patched though, so I guess that's good. I'm still annoyed at the deletion though. All my test accounts got deleted, but suprisingly my music account wasn't.
Anyways, I've found another security hole today. Not another XSS hole, this is a different security hole with some privacy implications. So, the way that I see it, I have a few options regarding what I can do at this point:
- Do "the right thing" and report it to them again. Probably getting my remaining accounts deleted in the process (I have a new personal profile, and my music profile that wasn't deleted).
- Tell someone else and get them to report it on my behalf.
- Ignore it and hope they fix it themselves.
- Post it to a security/"hackers" website.
Obviously, the last one is not something I'd usually do, I'm just not that type of person. However, if someone were to do something like that, assuming it's posted anonymously, nothing bad would happen. So, the thing that's the most "correct" (reporting it to them) would get punished (as my previous reported security hole showed), whereas the thing that's "wrong" (posting it to a security site) wouldn't. Isn't it obvious what most people would do? How funny.