Cherrypicking vulnerabilities…

… is simply a selfish, egotistical exercise by people who don’t understand the nature of risk. Like here.

Disclosure in the Web 2.0 world is a different beast from what we see with client-side ones, with a different risk model. Obviously, Chris Shiflett can do whatever he wants but it is entirely arrogant for him to think he is doing Amazon and the rest of the world a favor.

I wonder if one could gather enough forensic evidence to determine causation between an attack against Amazon and the OmniTI CSRF post. Have to ask my business lawyer friends if there are any grounds for an Amazon lawsuit…