The full quote from Rick Ross is "I am grateful that Ben Newman and Albert Sheu of Quora have identified a (now fixed) XSS vulnerability in our test site, but I am surprised that Quora policy permits developers to engage so openly in vandalizing other people's websites." which is slightly nicer than that article makes it sound.<p>Personally, I think the Quora engineers involved made some poor decisions. Anyone who looks for security vulnerabilities on websites they don't own or control is on shaky legal footing (there are exceptions: Google, Mozilla, Facebook, and a few other companies provide systems for the responsible disclosure of vulnerabilities). However, publicly disclosing vulnerabilities on a competitor's website (and making your proof of concept mildly malicious) is never going to work out well for anyone: it makes your company look like a bully and exposes you to potential legal ramifications.
[edit: Troll answers have been deleted, but you can still read the trolling comment thread: <a href="http://www.quora.com/Is-Qato-a-serious-Quora-clone-attempt/all_comments/Ben-Newman" rel="nofollow">http://www.quora.com/Is-Qato-a-serious-Quora-clone-attempt/a...</a> and <a href="http://www.quora.com/Is-Qato-a-serious-Quora-clone-attempt/all_comments/Samuel-Codsaw" rel="nofollow">http://www.quora.com/Is-Qato-a-serious-Quora-clone-attempt/a...</a> ]<p>On the Quora thread, <a href="http://www.quora.com/Is-Qato-a-Quora-clone-attempt-or-a-similar-looking-Q-A-site" rel="nofollow">http://www.quora.com/Is-Qato-a-Quora-clone-attempt-or-a-simi...</a> there are some answers by trolls pretending to represent Qato.<p>"Sameul Codsaw" writes: 'Also, we are using Ruby on Rails, so we expect to have less trouble scaling and finding devs than Quora has.'<p>Rick Ross, president of DZone (developers of OSQA and Qato), replies in the comments: 'This imposter has no connection with Qato and does a disservice to both Quora and DZone by posting this nonsense.'<p>"Kevin McDougal" answers and comments, also trying to make DZone look bad. ("Rick, our plan to sabotage the Quora community is working. Did Hernani create the 100 fake Quora accounts yet?" ... "Hold on. Was that message private or public?") It's pretty juvenile and makes me question the quality of the Quora moderation system.<p>Why are there all these sock puppet accounts (<a href="http://www.quora.com/Kevin-McDougal" rel="nofollow">http://www.quora.com/Kevin-McDougal</a> and <a href="http://www.quora.com/Samuel-Codsaw" rel="nofollow">http://www.quora.com/Samuel-Codsaw</a>) popping up and pretending to represent Qato? They have only one answer on the entire site, and its on this thread.<p>Are Quora engineers behind these trolls, or who? Regardless of who is behind it, the trolling reflects poorly on Quora, not Qato.<p>The comments by Ben Newman (Quora dev) honestly are quite juvenile, and do a disservice to Quora, regardless of any ethical considerations on the part of Quora or Qato. I would prefer to see him take the moral high road.
Just for the record, I meant it sincerely when I said that we were grateful that Ben Newman and Albert Sheu showed us an XSS hole in Qato, and that has now been fixed.<p>The site in question was just an unpromoted testing prototype which barely has any content and happened to have the Quora-like skin on at that moment. It probably shouldn't even have been publicly accessible.<p>Another Qato site on the same server is <a href="http://robofaqs.com" rel="nofollow">http://robofaqs.com</a>, which is sporting our OSQA clone theme. It doesn't look anything like Quora at all, but is powered by literally the same server instance. That's what we're trying to say - Qato is the general purpose Q&A engine under the skin, and these various skins just modulate the way a Qato site looks.
Vandalism is a stupid word to use. I imagine the process went something like this: "I wonder what happens if I add <script>$.fadeOut() as the text of the question" "Oh crap, it worked".<p>This is called experimentation. If you're in chemistry class and you mess up a lab, you're not accused of vandalizing apparatus... it's simply what happens when you are trying something out. Similarly, when you have a text box on a test website, someone is going to type something in, and if that causes the page to disappear, well... fix the bug and move on.
Same thing happened in my friend's company and they fired the engineer who identified and exploited the permanent XSS in their competitor's website. Personally I would do the very same thing.<p>1. It's against the law
2. Extremely unprofessional and childish
3. There are better ways to report security vulnerabilities
I just left the following comment:<p>--
It's pretty lame to copy the design and trade dress of another product. It does not bode well for your skill or ability.<p>Backstory: A long time ago I wrote Delicious. We had hundreds of copycats and competitors. The ones that weren't direct copies were the ones that did better.<p>I'm sure this doesn't apply to you for whatever reason.
Everyone's right that it was an ill-advised thing to do, but stepping back ignoring the law (I know..) and just asking yourself the gut question:<p>What's worse? injecting a relatively harmless script into the product (that frankly caused them to fix an issue that could have been very painful for them if someone more devious had found it first), or Qato's ripoff of Quora in the first place?
I certainly don't think the Quora Engineers were right to vandalize the clones website in this case.<p>I'm all about people making Q/A websites and releasing products that are clones of other products. Ideally this kind of competition can make the original product better.<p>That being said, I find making a clone of someones product and then releasing said product at least in this sense, distasteful. Seeing that it has such similarity to the original that if you weren't familiar with the original you probably couldn't tell the difference.
From the comment thread:<p>"So Qato was caught plagiarizing and now they're complaining about supposed "vandalism"? Reminds of those newspaper headlines where the robber hurts himself breaking into a home and tries to sue the family."<p>I have to agree. This is basic javascript injection. Can you say, "blown out of proportion"?