Re: How to report a Vulnerability to a Company

From: Liran Cohen (theog@rct.co.il)
Date: Sun Jan 13 2008 - 11:03:53 EST


in my eyes, unless you make it a habit of yours to pen test systems you
weren't paid for, you shouldn't even try and hack them (pen test - or
whatever you would call it) if you decide do something illegal I would
expect that it is all a matter of time and money, how much for how long
that company is willing to pay in order to find out who infiltrated
their systems.

Cheers,

krymson@gmail.com wrote:
> Before you go the anonymous route, think about how truly anonymous you are. If you report a vulnerability to the company, and they (rightly) decide to scan their logs to see if someone has exploited that vulnerability, they may come across you in the logs. Since they don't know you, this might trigger an incident response process. If the exploit is big enough and the process continued enough, they might pursue you and disclose to their customers before they realize it was just you. Hopefully if you go this route, you did your "testing" from a non-identifiable Internet connection.
>
> (Note: I'm not condoning "testing" sites from an anonymous account, but the grey hat in me says that if you do decide to go this dubious route, do so with some foresight and use someone else's box/connection, whether that be a wifi hotspot, proxy, or ssh tunnel...)
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>

-- 
Liran Cohen
http://www.rct.co.il
http://www.wood-wonders.net
http://www.icon-a.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT