I would like to have some inputs from you all on the following scenario.

A web site / application is hosted with a web hosting service provider (HSP). However, there is vulnerability in the web site that gets exploited and the sites functionality is affected. Whenever a end user is visiting the website, some malicious code is called from a remote malicious website. Note that the malicious code is not stored on the hosting service provider’s server.

Under such a scenario, does the HSP provide any kind of support to analyze the website / code and rectify the issue? I know most of the answer is going to be – “It depends on the agreement with the HSP”. However, there is no specific agreement other than the standard hosting agreement exists between the HSP and the client. I have come across people saying that the client is paying to the HSP, so they are supposed to help remove the vulnerability. I believe, the scenario is clear.

I agree jimbob.

Assuming the client wrote the website, then the vulnerability is theirs and they would (should) fix it.

I'm with everyone else on this with one major caveat.

As a client, you are most likely on a shared server.  If the hosting provider doesn't have a secure setup (and many don't), a vulnerability in one user's site that provides a shell escape can impact every user on the box.

I've seen cases where a client's site was defaced.  I looked at the server via SSH and was able to determine (pretty quickly) that other sites on the same server had been compromised as well.  Without root access (which the hosting provider obviously didn't give me) I can't say for sure which site was the compromise vector but everyone was impacted.

Sure hosting providers could provide each client their own "server" with virtualization, but this brings new challenges (particularly with resource  monitoring).  I would also say that any company that can't configure shared hosting boxes more securely certainly isn't up to the task with virtualization.

Basically, if one client is screwing up other clients, it is the hoster's responsibility to either help the offending client or get them off the box.  They've likely expended all the work to find the offending client (and what security problem they're having), seems like a perfect opportunity to fix it for a nominal fee (especially if the alternative is expulsion).