Looking for a pro-bono white hat...

[Scott <f0rtify () yahoo com>]

Hi all,

I work for a non-profit organization here in the US. 
Over the last four years, we have engaged a technology
firm to build a large, custom Apache/PHP-based
application for us that has CRM-type features.

Recently, we found that one of our servers had been
rooted.  We have cleaned up most of the resulting
mess, but unfortunately, we haven't figured out what
vector(s) the attackers used to gain access to our
system.  The application is fairly large and it has
not undergone any sort of security audit.

We're a 501(c)3 nonprofit, which means that we're poor
and we do not have any money to spend on security
testing. :-(

In my dream world, I'd like to find a white hat with a
verifiable reputation (so I can try to sell the idea
of "letting hackers try to break into our servers" to
our management) who would be willing to donate a
couple of hours in attempting to validate our site's
security.  Other than giving you "good karma", we
could probably write you an acknowledgement letter for
an in-kind donation as well (which, if you live in the
US and if your accountant agrees, might be usable as a
tax deduction).

I don't really want to advertise the details of our
insecure site to the whole list, so more details are
available on request.  (If you can include any info
about the organization you work for, that would be
appreciated, since it would help me avoid disclosing
any details to script kiddies.)

Thanks!
Scott



                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/