Re: Informing Companies about security vulnerabilities...

From: Dan Catalin Vasile (hardware_cta@yahoo.com)
Date: Thu Oct 05 2006 - 15:10:40 EDT


> You can try to set them an ultimatum pretending to
> disclose the holes
> to the public. Perhaps they are more willing to
> react if they are forced
> to do so.

Yeah, right... and then call all the lawayers that you
know.
This would be blackmail, so you are eligible for a
grandious legal action against you.

My several cents: if they don't answer after one
e-mail just leave them. You have done more than
enough.

Have secure fun,
Dan

--- Andreas Putzo <putzoa@gmx.de> wrote:

> On Oct 04, Joseph McCray wrote:
> > Usually when we do this we only find a few simple
> things (XXS for
> > example) - no big deal right. With this particular
> website we just kept
> > finding another, after another and on and on. Over
> 600 instances of XXS,
> > over 200 SQL Injection - this was bad. After a
> while it started to get
> > boring there was so many....
> >
> > So I drafted a letter to the editor as well as
> several other prominent
> > people at the newspaper. It detailed my finding
> and recommended some
> > possible mitigation strategies. After emailing
> this I didn't hear
> > anything for a few days, so I emailed it again and
> followed up with a
> > phone call. After getting no response to the
> second email and then
> > having been bounced around from department to
> department when I called I
> > just said forget it.
>
> You can try to set them an ultimatum pretending to
> disclose the holes
> to the public. Perhaps they are more willing to
> react if they are forced
> to do so.
> Depending on the information you can get through the
> website (customer
> data anywhere?) and the laws in your country (IANAL,
> btw.)
> you may go to the intrigued publicity, indeed. They
> gotta have to do something if
> someone defaced their website actually.
>
>
> --
> regards,
> Andreas Putzo
>
>
>
>
>
------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download
> Hailstorm for FREE.
>
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>
------------------------------------------------------------------------
>
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:07 EDT