Monday, February 18, 2008

Fastest fix in the West - a vendor's excellent response

Rare is the occasion when one who researches and responsibly reports web application vulnerabilities is met with an open, immediate, consumer oriented response from a vendor. But so it was when I let the folks who develop Tendenci, a Schipul offering, know about a few XSS issues. These are people who take great pride in their product; had they simply fixed the issue, and perhaps sent back a quick note many days later, I would have accepted that as the typical norm for most responsible vendors.
Yet, Schipul took the process to a new height, raising the bar entirely.
I literally heard back from Schipul's Jennifer Brooks within an hour of notification. Within 24 hours the issues had been addressed, and even more surprising, Tendenci posted the issue and its resolution to their blog, providing customers with a summary and an FAQ.
This rapid, public response exemplifies a company who seeks to protect their brand, their customers, and the end user, all in the same spirit and with the same intent.
To Schipul I say well done, extremely well done, and thank you. | digg


happykatie said...

Thanks Russ - as a Tendenci/Schipul team member I appreciate you 1) pointing out this vulnerability so that we could patch it up and 2) writing such a great follow-up post on top of that.

We are passionate about our software and our Users and anything that pushes us further in our goal to connect and organize the World's people is a good thing.

Thanks - Katie

Anonymous said...

Thanks Russ. It means a lot to us here at Schipul that our seriousness about security meant enough to you that you wrote a follow up post about it.

We appreciate what you do and we are so glad that you caught this vulnerability for us before it became a big issue.

Nicole Newton

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...