In response to a previous blog entry regarding XSS issues in the current YaWiki release and the ensuing discussing. Paul did a bit of research on "an ethical protocol for research" which resulted in this blog entry.

Paul sums up his conclusions with this statement

So the ethical framework is pretty easy, if annoying; the key is, "Who owns the site?" If the site is not yours, you need permission to perform vulnerability assessments and penetration testing, including "benign XSS testing" and "security research" (or whatever other euphemism you may wish to coin). If the site is within your organization, then you need to follow your organizational policy for testing, and that is almost certain to include a notify-then-wait clause. These points might make "research" less convenient for you, but you will have the knowledge that you have behaved in a proper and ethical manner.

Discussion follows the blog entry involving Rasmus, Chris Shiflett and Ilia Alshanetsky, follows and brings up many other interesting views.