Make effective security easy by default Make insecure patterns “grep- able”
Actively monitor for attacks. Spikes in 500s and failed logins are your ﬁrst clue.
“I discovered the vuln late Friday afternoon andwasnt quite ready to email it to them. Saturdaymorning, I conﬁrmed the hole was still thereand ﬁxed a few bugs with my demo.I had my girlfriend test it from her house. Itdidnt work for her. I tested again and it hadstopped working for me. Sure enough, it wasnow properly sanitized and had the correctJSON MIME type.The following Monday I received a responsethanking me for reporting it, and telling me Iwas right. “
Treat independent security researches with respect.