NotionCommotion Posted July 26, 2015 Share Posted July 26, 2015 Domain name registrar? The prime web designer if there was a flaw anywhere in the application? A sub web designer if they were responsible for the flaw? The entity who issued the domain name? The individual who maintains the site? The VPS service provider? The browser client vendor? The victim? The CMS vendor if they allow the site owners to post JavaScript? The CMS vendor if there is a flaw in a plug-in? A web designer who uses a framework or CMS backbone which contains a flaw? The search engine provider who provided a link to the malicious site? The individual that posted the malicious content? Someone else? Quote Link to comment https://forums.phpfreaks.com/topic/297479-who-is-legally-responsible-for-xss-vulnerabilities/ Share on other sites More sharing options...
fastsol Posted July 26, 2015 Share Posted July 26, 2015 In my opinion, whoever built the code that lead to the vulnerability. So just because a web designer used a third party script, they shouldn't be held responsible for the issue if the issue lies in the third party script. Quote Link to comment https://forums.phpfreaks.com/topic/297479-who-is-legally-responsible-for-xss-vulnerabilities/#findComment-1517413 Share on other sites More sharing options...
Strider64 Posted July 26, 2015 Share Posted July 26, 2015 Well if a company's website is hacked, it's isn't the web developer who takes the blame in the eyes of the public, it's the company. Though the company that is taking the blame isn't going to give the web developer a free pass and just let it slide by without taking a hit. So it should be the web developer, but a web designer might get thrown under the bus if the company doesn't distinguish between developer and designer. Though I think that is highly unlikely for most companies are smart enough to realize it's the coding that causes the problems. So my answer is who ever developed the script is the party at fault. However, the company that gets hacked isn't going to be very pleased with anyone that had anything to do with the website. Quote Link to comment https://forums.phpfreaks.com/topic/297479-who-is-legally-responsible-for-xss-vulnerabilities/#findComment-1517415 Share on other sites More sharing options...
NotionCommotion Posted July 26, 2015 Author Share Posted July 26, 2015 If the 3rd party script is known to have vulnerabilities, would expect the developer has some responsibility. Agree I should have used the word "developer" and not "designer". My scenario is whether a developer has to take measure to prevent presumably authorized users from misusing the application. Specifically, Bob is responsible for all content on bob.sites.example.com and Mary is responsible for all content on mary.sites.example.com. If I allow them to include JavaScript in the content, they can easily implement XSS. My belief is that allowing them to do so is acceptable provided the terms and conditions prohibit them from using the application other than what it was intended for. I do feel it is an interesting topic, and hope to hear other opinions. Thank you Quote Link to comment https://forums.phpfreaks.com/topic/297479-who-is-legally-responsible-for-xss-vulnerabilities/#findComment-1517418 Share on other sites More sharing options...
QuickOldCar Posted July 26, 2015 Share Posted July 26, 2015 (edited) I'm in no way a lawyer and even a lawyers advice in a forum wouldn't have much merit, if went to court all would be determined there. It's usually anyone and everyone a party can blame and the lucky ones are those who can afford to get out of it or pass the blame and someone else accepts it. It's not even so much money but a reputation can be at stake. In my eyes if you clearly define in a TOS and also take actions against such wrongful person you should be exempt from blame. "...and any illegal or malicious activity" is a broad scope Edited July 26, 2015 by QuickOldCar Quote Link to comment https://forums.phpfreaks.com/topic/297479-who-is-legally-responsible-for-xss-vulnerabilities/#findComment-1517429 Share on other sites More sharing options...
Barand Posted July 26, 2015 Share Posted July 26, 2015 If a burglar breaks into my house, don't send him to prison; send the guy who originally built the house. 1 Quote Link to comment https://forums.phpfreaks.com/topic/297479-who-is-legally-responsible-for-xss-vulnerabilities/#findComment-1517436 Share on other sites More sharing options...
NotionCommotion Posted July 27, 2015 Author Share Posted July 27, 2015 If a burglar breaks into my house, don't send him to prison; send the guy who originally built the house. Or maybe the guy who sold the ladder that was used to build the house. Quote Link to comment https://forums.phpfreaks.com/topic/297479-who-is-legally-responsible-for-xss-vulnerabilities/#findComment-1517498 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.