W3C recently submitted to a Web Application Penetration Test. It was conducted by researchers and testers of SBA Research within the context of Mobsetip research project and specifically targeted Reflected-Cross-Site-Scripting vulnerabilities using combinatorial testing methodologies. SBA Research approached W3C since the size of our website and the nature of our organization made for an interesting test subject. W3C seeks to continually improve its security and has submitted to penetration tests in the past, conducted its own audits and welcomes community reports on its open collaborative infrastructure. A RXSS vulnerability was found in W3C’s online tidy service and corrected. Anyone running their own instance of this service is encouraged to upgrade.
W3C appreciates SBA Research’s effort and responsible vulnerability disclosure practices.