Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Ethics Scenario

From: "Gallicchio, Florindo (2282)" <florindo.gallicchio () ESAVIO COM>
Date: Mon, 2 Oct 2000 17:20:21 -0400
We certainly do not do this!  I take a very dim view of this type of
solicitation.  If I were the recipient of the call from a company poking at
my site, I'd think the following:

1.  The opportunists say they were "just poking around," but I'd wonder if
they were doing more than that.  I'd probably call the authorities.

2.  The opportunists don't know how to legitimately market their services
and cold call potential customers.  I'd dismiss them as amateurs.

I'm not saying that your company is one of these opportunists, but you would
certainly look like it to many people.  I'd stick with the traditional
methods that consulting companies use.

Florindo

On Mon, 2 Oct 2000, Christopher M. Bergeron wrote:


Here's a scenario that I'd like to get peoples' input on:

A) Our company does pen-tests, security auditing etc...
B) Our team finds a vulnerability/hole on a website just by poking

around / using the site.


The question is this:
Do we tell the website company who we are and that we have discovered

a vulnerability and then offer to provide them assistance with the
vulnerability (for pay of course).  i.e. offering them a full pen-test
or an IDS or something...?



Or does this tend to fall into the "chasing ambulances" type of

business marketing strategy?
Previous By Date Next
Previous By Thread Next

Current thread: