Penetration Testing mailing list archives
RE: how to alert company of security hole
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Mon, 22 Mar 2004 09:31:44 +0100
Hello Serg, this is the http://www.wiretrip.net/rfp/policy.html disclosure policy for software vulnerabilities developed by rain.forest.puppy, and is considered pretty standard. There would, however, be absolutely no reason for full-disclosure about vulnerabilites in an e-shop. Considering that, I would agree with a previous poster that you should get in touch with a (the) board-level person responsible for IT. Try to be as cooperative as possible, and use your social engineering skills to make that person want you to fix the problems, and want to give you money for it. As far as specifically asking for a reward, those are kind of murky waters. The main problem (as I see it) is that the person may feel like you are trying to extort money. Think of this in terms of a *non* e-business. If you go into a store, and tell then that you happened to be exploring the sewers looking for ways into buildings, and coincidentally stumbled updon a way into *their* buildings, they will kind of wonder why you were doing that, but in general be happy you let them know. If you ask for money to show them where the breach is, and help to close that access off, that company is not going to have a really good feeling about you or your integrity. Remember that in security, you really have to work to build trust relationships with your customers. Even if they do pay you to fix *this* problem, I see it as unlikely that the situation could develop into a good working relationship if you demand money. Remember that this executive is going to feel pretty violated, particularly if e-business is that company's main thing. In a case like this, I think the best advice is to try to manipulate the person into wanting you to help them in the future. (I know that sounds kind of evil, so if you want you can trade the word manipulate for (social) engineer.) Try to build trust, hope they offer to pay you, and if they don't do that, mention how neat you thought their site was, and ask if they would be interested in any kind of partnership. Just a couple of thoughts, Chris
-----Original Message----- From: Serg B. [mailto:sbonlinux () hotmail com] Sent: Thursday, March 18, 2004 6:24 PM To: pen-test () securityfocus com Cc: sbonlinux () hotmail com Subject: how to alert company of security hole Hi All, Not sure if this question belongs here or not, but ... I am curious about an approach one would take in alerting a company that their web site/e-shop has multiple vulnerabilities. In other words should the individual who discovered the holes contact the parties involved directly or anonymously in fear of law suit? Also, would one be swimming in murky waters if they were looking at some reward for the discovery ... Cheers, Serg sbonlinux[AT]hotmail.com Your friendly neighborhood geek.
--------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- how to alert company of security hole Serg B. (Mar 18)
- <Possible follow-ups>
- Re: how to alert company of security hole scheyne (Mar 19)
- RE: how to alert company of security hole Jonathan Pokrzyk (Mar 19)
- Re: how to alert company of security hole Bob Radvanovsky (Mar 19)
- RE: how to alert company of security hole Meidinger Chris (Mar 22)