Jump to content

Who is legally responsible for XSS vulnerabilities?


NotionCommotion

Recommended Posts

  1. Domain name registrar?

The prime web designer if there was a flaw anywhere in the application?

A sub web designer if they were responsible for the flaw?

The entity who issued the domain name?

The individual who maintains the site?

The VPS service provider?

The browser client vendor?

The victim?

The CMS vendor if they allow the site owners to post JavaScript?

The CMS vendor if there is a flaw in a plug-in?

A web designer who uses a framework or CMS backbone which contains a flaw?

The search engine provider who provided a link to the malicious site?

The individual that posted the malicious content?

Someone else?

Link to comment
Share on other sites

Well if a company's website is hacked, it's isn't the web developer who takes the blame in the eyes of the public,  it's the company. Though the company that is taking the blame isn't going to give the web developer a free pass and just let it slide by without taking a hit. So it should be the web developer, but a web designer might get thrown under the bus if the company doesn't distinguish between developer and designer. Though I think that is highly unlikely for most companies are smart enough to realize it's the coding that causes the problems. So my answer is who ever developed the script is the party at fault.  However, the company that gets hacked isn't going to be very pleased with anyone that had anything to do with the website.  ;D

Link to comment
Share on other sites

If the 3rd party script is known to have vulnerabilities, would expect the developer has some responsibility.

 

Agree I should have used the word "developer" and not "designer".

 

My scenario is whether a developer has to take measure to prevent presumably authorized users from misusing the application.  Specifically, Bob is responsible for all content on bob.sites.example.com and Mary is responsible for all content on mary.sites.example.com.  If I allow them to include JavaScript in the content, they can easily implement XSS.  My belief is that allowing them to do so is acceptable provided the terms and conditions prohibit them from using the application other than what it was intended for.

 

I do feel it is an interesting topic, and hope to hear other opinions.

 

Thank you

Link to comment
Share on other sites

I'm in no way a lawyer and even a lawyers advice in a forum wouldn't have much merit, if went to court all would be determined there.

 

It's usually anyone and everyone a party can blame and the lucky ones are those who can afford to get out of it or pass the blame and someone else accepts it.

 

It's not even so much money but a reputation can be at stake.

 

In my eyes if you clearly define in a TOS and also take actions against such wrongful person you should be exempt from blame.

"...and any illegal or malicious activity" is a broad scope

Edited by QuickOldCar
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.