[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Administrivia: Real domain names in PoC/exploit examples

Hey everybody,

I just wanted to clarify our policy about accepting posts that contain
real domains and websites in proof-of-concept and exploit examples. We
don't. If I see this, my normal response is to bounce it back to the poster and
ask them to sanitize the example and resend their post. But this
causes delays in moderation and occasionally the poster doesn't resend
the message, which is unfortunate. You may ask why I don't just
sanitize it myself... well it is my policy not to edit posts unless it
is at the behest of the poster.

To clarify the kind of thing that is not acceptable:
- Examples that use the vendor's site (or demo installation)
- Examples that use a site where the software is installed
- Less obviously, examples that use any real domain (target.com is an
example that someone kindly pointed out)

And this is the sort of thing that would be appropriate:
- www.example.com (this is really the best way to go)
- Some other place-holder that is not a valid domain such as <victim>,


Dave McKinney

keyID: E461AE4E
key fingerprint = F1FC 9073 09FA F0C7 500D  D7EB E985 FAF3 E461 AE4E