A few main rules:
- Only White hat attitude is accepted.
- The goal is to make the Web, some framework, technology, standard or Group of websites more secure and safer - not specific web resource with an issue.
- We should take into account backwards compatibility and find what is better - Fix it now and experience some problems with old code OR fix it never and get pwned every time we forget/miss something.
- Mass assignment issue in Rails. Done.
- GET accessible actions. Please whitelist your params and routes and use REST if possible. In Rails match is potentially dangerous method - Fixed.
- Referer and Origin are messed up with "data:" and "about:blank" URL's. It will not be fixed because it's expected behavior - Chrome team.
- Ruby Regexp start/end tokens Issue. Ruby will be in multiline mode and the behavior won't be changed - http://bugs.ruby-lang.org/issues/6472. Great, it's the very first thing I will try to exploit in Ruby websites. Rails will warn you https://github.com/rails/rails/pull/6671.
- CSRF/XSS issues, Clickjacking/frames, JSONP techniques, content-type, Basic auth, XSS Auditor - The Web Is Broken.
- OAuth, OAuth2.a Proposal
- please support the project by dropping a line on firstname.lastname@example.org ALL thoughts/ideas/opinions regards Web Security are appreciated!
Web is not complicated. It just has some bugs and full of mess we need to clean - #SaferWeb will make Web Safer, I guarantee it.