Kevin Overcash (Breach Security) and RSnake's blog brought NIST.org's Cross-Site Scripting (XSS) Hall of Shame to my attention.
Kevin's words: "Following up on the XSS disclosure list on sla.ckers.org, the NIST.org has begun maintaining a list of commercial and government web sites that have been reported to be vulnerable to cross-site scripting attacks. ... It appears that NIST will maintain this site over time and provide organizations with the ability to remove themselves from the list when they demonstrate they are no longer vulnerable. NIST will verify the eradication of the vulnerability and remove sites that secure themselves. There are quite a few large organizations listed here. I believe that this is an important step in disclosure that may or may not have legal problems. For the moment, it serves as a significant wake up call to businesses. Everyone is vulnerable and the hackers know it."
When there's talk of legal issues regarding the discovery and disclosure of XSS vulnerabilities, I'm reminded of the a funny line from the movie Kingpin.
Roy: Is this legal Mr. McCracken? Big Ern: I don't know, it's fun though isn't it!