RE: How to report a Vulnerability to a Company

From: Barry Greene (bgreene) (bgreene@cisco.com)
Date: Tue Jan 08 2008 - 14:44:02 EST


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If there is no information on the Web site for reporting the
vulnerability, then pick a CERT team, contact them, and get them to
help you contact that company. That covers you A$%^ and makes it
easier to contact the company. There is a different between someone
individual cold calling a vulnerability and someone like US CERT
calling someone.

My $.02.

 

> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of Vikas Singhal
> Sent: Monday, January 07, 2008 4:25 AM
> To: pen-test@securityfocus.com
> Subject: How to report a Vulnerability to a Company
>
> Hi all,
>
> Lets say I found a vulnerability in some company's website (
> e.g SQL Injection ) and that vulnerability is crucial to the
> company. How do I ethically report it to the Company and have
> credit for that.
>
> Can I go and say "Hey! I found a vuln in your website with
> gives me the password back for any user" Or doing this kinda
> stuff is not ethical at all unless you make a SLA with the
> company before doing any your own pentest.
>
> Can somebody give me any pointer in this direction.
>
> Regards
> Vikas Singhal
>
> --------------------------------------------------------------
> ----------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> --------------------------------------------------------------
> ----------
>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBR4PSgr/UEA/xivvmEQLL6wCfdhpDf71ptSCtK61suSUToQqqRSsAoIth
zvyuQfCQBqNhp7e3mceNjP4g
=w8PH
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT