RE: how to alert company of security hole

From: Meidinger Chris (chris.meidinger@badenit.de)
Date: Mon Mar 22 2004 - 03:31:44 EST


Hello Serg,

this is the http://www.wiretrip.net/rfp/policy.html disclosure policy for
software vulnerabilities developed by rain.forest.puppy, and is considered
pretty standard. There would, however, be absolutely no reason for
full-disclosure about vulnerabilites in an e-shop. Considering that, I would
agree with a previous poster that you should get in touch with a (the)
board-level person responsible for IT. Try to be as cooperative as possible,
and use your social engineering skills to make that person want you to fix
the problems, and want to give you money for it.

As far as specifically asking for a reward, those are kind of murky waters.
The main problem (as I see it) is that the person may feel like you are
trying to extort money. Think of this in terms of a *non* e-business. If you
go into a store, and tell then that you happened to be exploring the sewers
looking for ways into buildings, and coincidentally stumbled updon a way
into *their* buildings, they will kind of wonder why you were doing that,
but in general be happy you let them know. If you ask for money to show them
where the breach is, and help to close that access off, that company is not
going to have a really good feeling about you or your integrity. Remember
that in security, you really have to work to build trust relationships with
your customers. Even if they do pay you to fix *this* problem, I see it as
unlikely that the situation could develop into a good working relationship
if you demand money. Remember that this executive is going to feel pretty
violated, particularly if e-business is that company's main thing.

In a case like this, I think the best advice is to try to manipulate the
person into wanting you to help them in the future. (I know that sounds kind
of evil, so if you want you can trade the word manipulate for (social)
engineer.) Try to build trust, hope they offer to pay you, and if they don't
do that, mention how neat you thought their site was, and ask if they would
be interested in any kind of partnership.

Just a couple of thoughts,

Chris

> -----Original Message-----
> From: Serg B. [mailto:sbonlinux@hotmail.com]
> Sent: Thursday, March 18, 2004 6:24 PM
> To: pen-test@securityfocus.com
> Cc: sbonlinux@hotmail.com
> Subject: how to alert company of security hole
>
> Hi All,
> Not sure if this question belongs here or not, but ...
> I am curious about an approach one would take in alerting a
> company that their web site/e-shop has multiple
> vulnerabilities. In other words should the individual who
> discovered the holes contact the parties involved directly or
> anonymously in fear of law suit?
> Also, would one be swimming in murky waters if they were
> looking at some reward for the discovery ...
>
> Cheers,
> Serg
> sbonlinux[AT]hotmail.com
> Your friendly neighborhood geek.

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT