The new vulnerability archive XSSposed recently reported its first month results on Twitter @xssposed – it has received 1,087 vulnerabilities on 692 vulnerable websites, which were reported by 90 security researchers.
The company has also released a new feature – the XSSposed wishlist. XSSposed’s website explains:
Many companies and organizations exaggerate or lie about how secure they are and put your personal data at risk of being compromised.
If you want to find out how secure a particular website really is, just submit its URL in the form below, and security researchers will help you to find this out. The more people ask to verify a website – the more chances you have to get attention of the researcher community.
Ilia Kolochenko, CEO of High-Tech Bridge, comments on the new initiative. His information security company revealed Yahoo’s low bug bounty and spurred the company to increase the amount paid to researchers:
I am not surprised that security researchers are motivated to report XSS vulnerabilities on one public archive. Today we have very few efficient “Bug Bounties” that work properly and fairly. A full disclosure approach may finally be the catalyst that will push web developers to secure their websites rapidly.
XSSposed is quite an interesting project; we have been monitoring it for several weeks. This week we are going to integrate it into our ImmuniWeb Hacking Resource Monitor. It seems that the project has definitely replaced XSSed.org to become the main source of publicly disclosed vulnerabilities.
On an additional note, it’s interesting to see numerous PageRank 10 sites there together with the largest e-commerce, government and infosecurity websites. This definitely proves that the current state of affairs in web application security is far from perfect and needs serious improvement.
The XSS vulnerability archive XSSposed (XSS exposed) is open non-profit internet XSS archive where any security researcher can report a Cross-Site Scripting (XSS) vulnerability on any website. The purpose of the project is to maintain a complete archive of XSS vulnerabilities on all possible websites and domains.
All the mirrors of XSS vulnerabilities are independently verified before being published. We never remove any mirrors for political or business reasons. Each submitted mirror will remain regardless who is the researcher and who is the website owner.
The idea of the project is to facilitate vulnerability disclosure – we support full disclosure. For security researchers XSSposed is a safe place to report an XSS vulnerability and gain public recognition/credit, while for website owners and administrators, it’s an up-to-date source of information to keep their websites safer.