Full Disclosure or Responsible Disclosure? That's the problem! Well, usually I prefer the second one, especially if I'm working with applications I've used, known or tried at least one time: that's the case of Konakart. We actually don't use it, but I still recommend it to every people that works with OScommerce (same DB structure) and don't want to be bored developing in JEE. Konakart is a really stable product, and now is also more secure on his default configuration: Paolo Sidoli and I worked together to fix frontend related XSS vulnerabilities and a few other bugs. His replies and patches were fast and concrete, and in less than one week we've managed a full pen test and a full security patch. I confess that it's really amazing to exploit web applications, bypass filters, find bugs and so on, but maybe the most exciting (and under-valuated) phase is the mitigation of those bugs. That's clearly true if and only if the team to wich you're reporting the vulns is open to collaborate with you: if don't, RFpolicy can help us. Konakart users, please apply the patch...