RE: How to report a Vulnerability to a Company

From: Boaz Shunami (BoazS@comsecglobal.com)
Date: Wed Jan 09 2008 - 10:10:09 EST

• Next message: Rivest, Philippe: "RE: Crash in system scanned"
• Previous message: James Matthews: "Re: How to report a Vulnerability to a Company"
• Maybe in reply to: Vikas Singhal: "How to report a Vulnerability to a Company"
• Next in thread: Password Crackers, Inc.: "RE: How to report a Vulnerability to a Company"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Vikas,

Generally speaking it depends on the nature of the company and their
policy.

Doing this stuff can be charged against you (Because the company did not
allow you to attack its website, no matter what you have discovered).

You need to have an agreement or a contract with the company.

Best Regards,

Boaz Shunami

Comsec Consulting

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Vikas Singhal
Sent: Monday, January 07, 2008 2:25 PM
To: pen-test@securityfocus.com
Subject: How to report a Vulnerability to a Company

Hi all,

Lets say I found a vulnerability in some company's website ( e.g SQL
Injection ) and that vulnerability is crucial to the company. How do I
ethically report it to the Company and have credit for that.

Can I go and say "Hey! I found a vuln in your website with gives me
the password back for any user" Or doing this kinda stuff is not
ethical at all unless you make a SLA with the company before doing any
your own pentest.

Can somebody give me any pointer in this direction.

Regards
Vikas Singhal

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
**********************************************************************************************
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***
**********************************************************************************************

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Rivest, Philippe: "RE: Crash in system scanned"
• Previous message: James Matthews: "Re: How to report a Vulnerability to a Company"
• Maybe in reply to: Vikas Singhal: "How to report a Vulnerability to a Company"
• Next in thread: Password Crackers, Inc.: "RE: How to report a Vulnerability to a Company"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT