From: scheyne@att.net
Date: Thu Mar 18 2004 - 15:17:55 EST
You know, this is something that may of a sensitive nature, but I see it as an "OPPORTUNITY!"
I have been in the same situation and so I called the CSO or CISO of the company and talk to them only and then keep your mouth tightly sealed. This presents the opportunity to "network" for a future job and at the same time, it is a professional thing to do. Documentation sent to them is very important, and may even require a non-disclosure agreement, but it is the right thing to do. If it is an American company and possibly on the SEC board, you are once again doing the right thing. I am a SME on SARBANES-OXLEY and it is a necessity, and if they choose not to do anything about it, they are fined and could face imprisonment if it devulges customer information.
Sam Cheyne
> Hi All,
> Not sure if this question belongs here or not, but ...
> I am curious about an approach one would take in alerting a company that
> their web site/e-shop has multiple vulnerabilities. In other words should
> the individual who discovered the holes contact the parties involved
> directly or anonymously in fear of law suit?
> Also, would one be swimming in murky waters if they were looking at some
> reward for the discovery ...
>
> Cheers,
> Serg
> sbonlinux[AT]hotmail.com
> Your friendly neighborhood geek.
>
> _________________________________________________________________
> We've 100s of NEW questions! Play Millionaire online to win $$$$. Click here
> http://sites.ninemsn.com.au/minisite/millionaire/default.asp
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------
>
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT