From: krymson@gmail.com
Date: Wed May 30 2007 - 14:50:24 EDT
But...yup, there's a but.
If you were reporting this to me, I'd likely be just a teeny tiny bit curious about you. And chances are pretty good that you've left some tracks in my logs, especially if you were making interesting page calls or posts. Or some manager may ask his team, "Can we check to see if this has been exploited and track them down?" Your hits will be part of that investigation.
While I agree, anonymous is great, if you've not maintained that anonymity in your testing, at least be aware you can still get into some trouble. This is one of those cases I might suggest tabling your findings and chalking it up as a learning experience on multiple levels.
<- snip ->
On Wed, May 30, 2007 at 09:14:39AM +0100, Lee Lawson wrote:
> I would personally create an anoymous email account and send them some
> information stating that you are a penetration tester that 'happened'
> upon a possible security flaw in their website, but because of the
> state of fear that some unenlightened organisations have about this
> type of situation, you wish to remain anonymous at this point. Then
> explain that if they are open to increasing the security of their
> website, you will gladly analyse the security flaw further and give
> them full disclosure, on the basis that you will be given written
> permission prior to continuing further.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:50 EDT