Obligations
Due to a bad cold I was not able to post anything yesterday. Rest assured that you will not miss any of the daily letters nor any of the TLDs.
Yesterdays letter was z
The letter z is found 5 times. One occurrence is from a framed search on Eurocard. This was fixed very rapidly 
Todays letter is not a letter, it’s -
The character - is found 7 times. All of those still have a live vulnerability.
Yesterdays TLD was .tz
Yeah I have surfed by Tanzania. Considering the domain name for this blog it shouldn’t be all that surprising. .tz is found once.
Todays TLD is edu
edu is also found once. A department of ethics
Obligations
When I find a security vulnerability I feel I have an obligation to notify the site owner about the risk. Depending on the site I also feel I have an obligation to inform users about the potential risks with a certain site. To balance those 2 obligations I have come up with a vulnerability disclosure policy. The policy I arrived at gives the receiver at least one week to take action. Unless otherwise agreed upon, I disclose the issue on the disclosure date. If the response to a notification is: “If there is no exploit we don’t care”, I will not feel obligated to wait until the disclosure date.
I think site owners should have an obligation to make sure their web site is safe. One should think it’s in their best interest to do so.