twitter facebook rss

XSS full disclosure lives on

Posted by on June 29, 2014.

When John Cartwright closed the Full Disclosure mailing list earlier this year, it was quickly re-established by Fyodor. Full disclosure lives on. But the mailing list was not the only full disclosure outlet to end — XSSed ground to a halt at around the same time. Now that too has been resurrected in the form of, a new repository for the full disclosure of XSS vulnerabilities.

Cartwright closed the mailing list because the legal pressure and threats finally got to him. At the time, Tod Beardsley, engineering manager for Metasploit at Rapid7, told me,

“To be sure, there are personal and legal issues at play when you’re dealing with fresh zero-day. Going by John Cartwright’s released statements, those seem to be the primary motivators for halting service. But, while it’s sad to see it go, just because the Full-Disclosure mailing list has come to an end, it doesn’t mean that ‘full disclosure’ as a philosophy has ended.”

I don’t know if they were the same primary motives for abandoning XSSed, but its creators DP and KF would certainly have felt them. But Beardsley’s words were prophetic — full disclosure as a philosophy has not died. The new website,, is the clear successor to XSSed (indeed, you can search the old XSSed database from within the new site).


This time, however, its creators are going to some lengths to protect both their own and their users’ anonymity.

The idea of the project is to facilitate vulnerability disclosure – we support full disclosure. For security researchers XSSposed is a safe place to report an XSS vulnerability and gain public recognition/credit, while for website owners and administrators, it’s an up-to-date source of information to keep their websites safer.

Submissions can be done anonymously – all our logs are regularly deleted – or under security a researcher’s nickname or even real name.

While the English might not be perfect, the site itself is slick and professional — and the intent is clear.

The new site has also gone to some lengths to protect itself. The registration data for XSSed still clearly shows the French (or French Canadian) influence (hosted by OVH) and indicates that KF is probably Kevin Fernandez. XSSposed, however, is hidden behind Domains By Proxy (tag line: ‘Your identity is nobody’s business but ours’):

Admin ID:CR167516686
Admin Name:Registration Private
Admin Organization:Domains By Proxy, LLC
Admin Street:
Admin City:Scottsdale
Admin State/Province:Arizona
Admin Postal Code:85260
Admin Country:US
Admin Phone:+1.4806242599
Admin Phone Ext:
Admin Fax: +1.4806242598
Admin Fax Ext:

I approached XSSposed and asked, “Who are you?” They replied,

“We are a group of security professionals from several countries (mainly EU). All of us participated in various Bug Bounty Programs, but we believe that all, or almost all, of them fail for one reason or another.”

I asked, “Why are you?” They replied,

“We believe that full disclosure can make web a safer place, as otherwise website owners and admins never care.

“For example we notified Kaspersky about XSS on their websites 3 months ago – they didn’t even reply. After exposing the same vuln at XSSposed it was patched in < 24 hours. We are not a panacea but make web safer.”

Full disclosure lives on.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_vulnerabilities | Tags: , , , , ,