Discuss Scratch
- Discussion Forums
- » Questions about Scratch
- » If you would (theoretically) find a XSS bug, what would happen?
![[RSS Feed]](//cdn.scratch.mit.edu/scratchr2/static/__5b3e40ec58a840b41702360e9891321b__//djangobb_forum/img/feed-icon-small.png "[RSS Feed]")
![[RSS Feed]](http://cdn.scratch.mit.edu/scratchr2/static/__5b3e40ec58a840b41702360e9891321b__//djangobb_forum/img/feed-icon-small.png "[RSS Feed]"){kind=icon}
- HTML-Fan
-
Scratcher
1000+ posts
If you would (theoretically) find a XSS bug, what would happen?
What would happen when you find an exploit in the Scratch website and use it for, for example, a self-loving project? What would happen? Permanent ban?
- Jeffalo
-
Scratcher
1000+ posts
If you would (theoretically) find a XSS bug, what would happen?
you'd be breaking the law.
i think if it was used to demonstrate responsibly (eg. alert('xss!') i think the ST would be ok as long as you're reporting the bug.
if you used it to gather login cookies or something, i think they might be slightly more harsh…
edit, clarifications because this is a bad post:
- do not publicly demonstrate the bug, report it directly to the scratch team and clean up after yourself if your testing left some evidence that others might find.
- do not exploit a bug. that's bad.
i think if it was used to demonstrate responsibly (eg. alert('xss!') i think the ST would be ok as long as you're reporting the bug.
if you used it to gather login cookies or something, i think they might be slightly more harsh…
edit, clarifications because this is a bad post:
- do not publicly demonstrate the bug, report it directly to the scratch team and clean up after yourself if your testing left some evidence that others might find.
- do not exploit a bug. that's bad.
Last edited by Jeffalo (Nov. 24, 2021 10:47:27)
- HTML-Fan
-
Scratcher
1000+ posts
If you would (theoretically) find a XSS bug, what would happen?
if you used it to gather login cookies or something, i think they might be slightly more harsh…Yeah I think so too but where's the border between demonstrating a bug and shamelessly doing questionable stuff?
- mtech22
-
Scratcher
1000+ posts
If you would (theoretically) find a XSS bug, what would happen?
In your scenario, you cant use it to get top loved. But i'd think giving yourself 2-3 hearts would be fine to demonstrate the problem and point it out to the ST.if you used it to gather login cookies or something, i think they might be slightly more harsh…Yeah I think so too but where's the border between demonstrating a bug and shamelessly doing questionable stuff?
- HTML-Fan
-
Scratcher
1000+ posts
If you would (theoretically) find a XSS bug, what would happen?
Lol if it leaves a love and fav and griffpatch sees it …In your scenario, you cant use it to get top loved. But i'd think giving yourself 2-3 hearts would be fine to demonstrate the problem and point it out to the ST.if you used it to gather login cookies or something, i think they might be slightly more harsh…Yeah I think so too but where's the border between demonstrating a bug and shamelessly doing questionable stuff?
- scratchykit5743
-
Scratcher
1000+ posts
If you would (theoretically) find a XSS bug, what would happen?
you'd get IP and perma-banned.
Last edited by scratchykit5743 (Aug. 17, 2020 13:43:06)
- mtech22
-
Scratcher
1000+ posts
If you would (theoretically) find a XSS bug, what would happen?
you'd get IP and perma-banned.Why?
- Harakou
-
Scratcher
1000+ posts
If you would (theoretically) find a XSS bug, what would happen?
If you find a vulnerability in Scratch, please use the Contact Us link to let us know instead of exploiting it. We have a bounty program that we can invite you to, which allows us to fix bugs before they're made public and award bounties to bug-finders. If you publicize a software vulnerability without giving the maintainer time to fix it, even as a proof-of-concept, you open the door to malicious actors using it for harm.
- Discussion Forums
- » Questions about Scratch
-
» If you would (theoretically) find a XSS bug, what would happen?