RE: How to report a Vulnerability to a Company

From: Password Crackers, Inc. (pwcrack@pwcrack.com)
Date: Tue Jan 08 2008 - 14:46:16 EST


Rain Forest Puppy put out something that I thought represented a good start
at coming out with a industry standard for this type of thing. However, at
the time, I added a comment that it did not provide for any attempt to
negotiate monetary compensation for the work or research. Compensation is a
sticky wicket because it can be interpretted as extortion. However, any
policy that does not deal with the issue or assumes that all security
research is to be provided free of charge I fear is incomplete. I would
welcome some additions to an industry standard in that regard. I believe
version two is not on his website here:

http://www.wiretrip.net/rfp/policy.html

The fact remains that an accepted industry standard for dealing with
vulnerabilities should be welcomed by all involved.

Bob Weiss
Password Crackers, Inc.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Vikas Singhal
Sent: Monday, January 07, 2008 7:25 AM
To: pen-test@securityfocus.com
Subject: How to report a Vulnerability to a Company

Hi all,

Lets say I found a vulnerability in some company's website ( e.g SQL
Injection ) and that vulnerability is crucial to the company. How do I
ethically report it to the Company and have credit for that.

Can I go and say "Hey! I found a vuln in your website with gives me the
password back for any user" Or doing this kinda stuff is not ethical at all
unless you make a SLA with the company before doing any your own pentest.

Can somebody give me any pointer in this direction.

Regards
Vikas Singhal

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT