RE: how to alert company of security hole

From: Jonathan Pokrzyk (jpokrzyk@matriximaging.com)
Date: Thu Mar 18 2004 - 16:35:51 EST

• Next message: Pete Herzog: "RE: Bank Audit Best practices"
• Previous message: Chuck Fullerton: "RE: Bank Audit Best practices"
• Maybe in reply to: Serg B.: "how to alert company of security hole"
• Next in thread: Bob Radvanovsky: "Re: how to alert company of security hole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Serg,

What kind of vulnerabilities did you find? And did you actually exploit
any of them? Running a nessus scan is one thing. I'm would like to get
to the point where I can actually get into a system. Just looking for
some tips.

I'm not really the person to ask but I think as long as you haven't
damaged or stolen any of the data I doubt any company would spend its
resources on prosecuting you.

Jon

-----Original Message-----
From: Serg B. [mailto:sbonlinux@hotmail.com]
Sent: Thursday, March 18, 2004 12:24 PM
To: pen-test@securityfocus.com
Cc: sbonlinux@hotmail.com
Subject: how to alert company of security hole

Hi All,
Not sure if this question belongs here or not, but ...
I am curious about an approach one would take in alerting a company that

their web site/e-shop has multiple vulnerabilities. In other words
should
the individual who discovered the holes contact the parties involved
directly or anonymously in fear of law suit?
Also, would one be swimming in murky waters if they were looking at some

reward for the discovery ...

   Cheers,
      Serg
      sbonlinux[AT]hotmail.com
      Your friendly neighborhood geek.

_________________________________________________________________
We've 100s of NEW questions! Play Millionaire online to win $$$$. Click
here
  http://sites.ninemsn.com.au/minisite/millionaire/default.asp

------------------------------------------------------------------------

---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Next message: Pete Herzog: "RE: Bank Audit Best practices"
• Previous message: Chuck Fullerton: "RE: Bank Audit Best practices"
• Maybe in reply to: Serg B.: "how to alert company of security hole"
• Next in thread: Bob Radvanovsky: "Re: how to alert company of security hole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT