RE: How to report a Vulnerability to a Company

From: Thor (Hammer of God) (thor@hammerofgod.com)
Date: Tue Jan 08 2008 - 14:44:07 EST


It all depends on what you mean by "have credit for that." If "credit"
means that you want to contribute to the overall security of the
community, then you just report it to the company and move on. If you
want credit for being "l33t" to your peers for finding the passsword for
any user because of the poor coding skills of some dev team, you should
probably be careful as the fact that you explored the vulnerability to
the extent of finding that out in the first place means that you have
almost certainly broken several laws and you could held legally
responsible for your actions.

As far as the "value" of that "credit," you have to ask yourself how
much value there really is in finding a site subject to SQL Injection as
it relates to peer review. At this point in the game, finding SQL
Injection is trivial - I doubt it will give you any "street cred" at all
- if it does, you're on the wrong street. That being said, as far as
the customer is concerned, there is still obviously much work that needs
to be done to educate developers on the secure development of
data-driven web applications.

I was on a job some time back (when I worked elsewhere) where I
identified SQL Injection attacks that would have been devastating to the
client and application team. Identifying the vulnerability to the team
(as part of a professional engagement deliverable) was incredibly
valuable to the client. In that respect, edification was the true
value, and the "credit" taken was simply part of my job and duty to the
client and overall community. However, publishing the vulnerability to
the "world" with a "Hey, look at me, I found a SQL Injection
vulnerability" if for the purposes of personal gain and self-promotion
would have had no value to any "real" professional and would have ended
up hurting the client - which would have been wrong, even with legal
issues aside.

t

> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of Vikas Singhal
> Sent: Monday, January 07, 2008 4:25 AM
> To: pen-test@securityfocus.com
> Subject: How to report a Vulnerability to a Company
>
> Hi all,
>
> Lets say I found a vulnerability in some company's website ( e.g SQL
> Injection ) and that vulnerability is crucial to the company. How do I
> ethically report it to the Company and have credit for that.
>
> Can I go and say "Hey! I found a vuln in your website with gives me
> the password back for any user" Or doing this kinda stuff is not
> ethical at all unless you make a SLA with the company before doing any
> your own pentest.
>
> Can somebody give me any pointer in this direction.
>
> Regards
> Vikas Singhal
>
>
-----------------------------------------------------------------------
> -
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
>
-----------------------------------------------------------------------
> -

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT