From: Ed Telecommuter (edtelecommuter@yahoo.com)
Date: Wed Jan 09 2008 - 14:04:01 EST
You have to remember regardless of your perception of your intent, the person you talk to may and will likely preceive you as having exploited the company by sending un solicited un paid for, un scheduled, un authorized illegal attacks. You HAVE admitted to violating various laws and more importantly principles of good commication and change control and now in retrospect. You will want to present yourself as the white hat not a as hacker turned granade thrower.
In your specific case, you have prescrewed yourself in my opionion. What wont work without likely concequence to yourself is communicating the vulenerability, anonymously through email. Your email communications will likely be blocked by any effective spam filter.
Nudge, make a relationship with the right person in the company in a position to accept your report after you have earned the right to test for the vulnerability legitimately. Show up at the door after you have permission to test with the results and walk away a heroafter reporting it.
Ed
----- Original Message ----
From: "benoni.martin@accenture.com" <benoni.martin@accenture.com>
To: vikas.programmer@gmail.com; pen-test@securityfocus.com
Sent: Wednesday, January 9, 2008 8:12:47 AM
Subject: RE: How to report a Vulnerability to a Company
Hi !
My personal experience was: I found one day a vulnerability on a
commercial site (I could download any file from their web server,
including the configs files containing all the logins/passwords/IP/...
of their database servers ...). So I sent a nice email to the
webmaster/admin reporting that. I was never prosecuted ... but the admin
never patch his web server neither ...
BTW, you should also add to your report that it's not a very good idea
to store clear-text passwords in a database as they seem to do ...
Storing the hashes instead would be really better :)
Regards.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Vikas Singhal
Sent: lundi 7 janvier 2008 13:25
To: pen-test@securityfocus.com
Subject: How to report a Vulnerability to a Company
Hi all,
Lets say I found a vulnerability in some company's website ( e.g SQL
Injection ) and that vulnerability is crucial to the company. How do I
ethically report it to the Company and have credit for that.
Can I go and say "Hey! I found a vuln in your website with gives me
the password back for any user" Or doing this kinda stuff is not
ethical at all unless you make a SLA with the company before doing any
your own pentest.
Can somebody give me any pointer in this direction.
Regards
Vikas Singhal
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT