PaulDotCom mailing list archives
Re: He is not evil, checked a site without authorization, found an issue...then what?
From: Jim Halfpenny <jim.halfpenny () gmail com>
Date: Fri, 13 Jan 2012 10:04:09 +0000
Hi, You could try contacting the guys at upSploit - https://upsploit.com/ They handle disclosure, anonymous or otherwise, of vulnerabilities with the affected parties. This allows you to distance yourself from the disclosure but still have a communctions channel open (potentially). Use an alias is you wish for further anonymity when contacting them. Regards, Jim On 12 January 2012 20:33, Sherif El-Deeb <archeldeeb () gmail com> wrote:
Hi all, I have a friend "Bob" who found a vulnerability, (SQL injection, error based -> v.fast data dumping) in a banking website that gave him access to all the customers' details among many other things, he is not evil, and he came to me for advice: 1- He know he shouldn't have done the test in the first place without authorization and he is afraid that he might get prosecuted if he reported it "happened before, right?". 2- He knows that this has to be reported because it leaves customer data exposed, and he has to act fast. 3- He would very much like to get rewarded :) not necessarily by money, a thank you letter will be just fine. I told him if we couldn't figure out a way to make sure he won't get prosecuted, He will just make the great sacrifice, be a good citizen and anonymously report it, and the only benefit he will gain will be sleeping at night feeling little better about his self knowing that because of the time and efforts he spent finding and reporting the issue, thousands and thousands of innocent people financial data are a bit more secure. any advices? Thanks in advance. Sherif Eldeeb _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- He is not evil, checked a site without authorization, found an issue...then what? Sherif El-Deeb (Jan 12)
- Message not available
- Re: He is not evil, checked a site without authorization, found an issue...then what? Sherif El-Deeb (Jan 12)
- Re: He is not evil, checked a site without authorization, found an issue...then what? Robert Wesley McGrew (Jan 12)
- Re: He is not evil, checked a site without authorization, found an issue...then what? Sherif El-Deeb (Jan 12)
- Re: He is not evil, checked a site without authorization, found an issue...then what? Bill Swearingen (Jan 12)
- Re: He is not evil, checked a site without authorization, found an issue...then what? Sherif El-Deeb (Jan 12)
- Message not available
- Re: He is not evil, checked a site without authorization, found an issue...then what? Josh More (Jan 12)
- Re: He is not evil, checked a site without authorization, found an issue...then what? Sherif El-Deeb (Jan 12)
- Re: He is not evil, checked a site without authorization, found an issue...then what? Jim Halfpenny (Jan 13)