Discovering and Disclosing httpoxy

Over the past two weeks, I’ve been coordinating the disclosure of a pretty big and very old security vulnerability. If you’re looking for the technical details, you can head to httpoxy.org, and if you’re looking for a non-technical explanation, you might prefer to read my other Medium story about the issue.

Instead, this is the story of how we discovered it, and my experience with the disclosure process.

Background

Vend is a retail POS, inventory management, ecommerce and customer loyalty system we run as a service. …


An explanation for non-technical audiences

Hi! I’ve been telling the open source community about a security vulnerability that was recently rediscovered lurking in a bunch of software. This is an attempt at a simple explanation of the problem, for people who don’t write or deploy web applications.

If you’re looking for technical details, and mitigation instructions, you can head to httpoxy.org. And if you’re looking for a story about the discovery and disclosure process, you can check out my other Medium story on httpoxy.

Also, I’d like to point out that, because we found this, we were able to prevent it from ever affecting Vend…

Dominic Scheirlinck

Open source web developer. I work at vendhq.com, but these are my stories.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store