Re: Disclosure

[Saphex <saphex () gmail com>]

Hi Dennis,

The problem is that sometime people don't understand, and what they
don't understand, they fear, and with fear comes aggressive *re*actions.
Sometimes isn't if you clearly show good intentions, its more what they
think you're showing :)
But, I'll follow your advise.

Thanks,
saphex

Qua, 2009-02-11 às 23:54 +0200, Dennis Kudin escreveu:
> Hi,
>
> As a first step, just send them a notification with description of the
> vulnerability and let them have some time to fix it. Try to get their
> response to make sure they received your message and understood it
> correctly. This is a normal practice. Why do you think they'll pursue
> you if you clearly show your good intentions and readiness to
> cooperate?
>
> --
> Best regards,
> Dennis
> http://kudin.net
>
> -----Original Message-----
> From: Saphex <saphex () gmail com>
> Sent: Wednesday, February 11, 2009, 21:58:08
> To: security-basics () securityfocus com, , 
> Subject: Disclosure
> Hi,
>
> I have been wondering, how to disclosure vulnerabilities. If some
> corporate web site has a vulnerability, witch is the best approach to
> reveal that vulnerability to them? Without getting a lawsuit or
> something?
> Is there some law compliant way of doing it? Lets assume they didn't ask
> for the security *testing*.
>
> Best regards,
> saphex