Re: Informing Companies about security vulnerabilities...

From: Dragos Ruiu (dr@pacsec.jp)
Date: Wed Oct 04 2006 - 16:06:47 EDT


On Wednesday 04 October 2006 12:15, bugtraq@cgisecurity.net wrote this about
XSS testing:
> So you are admitting publicly that you and a class of students that you
> teach are illegally testing random public websites for the purpose of
> learning about security vulnerabilities? Sounds like you/your company need
> to speak with a lawyer.
>
> - Robert

Sound like you need to consider your response. I'll let the lawyers
correct me, but AFAIK unless the thing you are pointing them at
contravenes some laws, merely posting something with a cross
site reference to a site does not constitute prohibited behaviour
anywhere I know of, and there are many legitimate contexts to
be doing this in (as well as the unitended ones) and intentional
reasons why some sites explicitly allow this (for better or for worse).

Maybe you need to consult your lawyer :-).

cheers,
--dr

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan    November 27-30 2006    http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:06 EDT