Penetration Testing mailing list archives
Re: how to alert company of security hole
From: scheyne () att net
Date: Thu, 18 Mar 2004 20:17:55 +0000
You know, this is something that may of a sensitive nature, but I see it as an "OPPORTUNITY!" I have been in the same situation and so I called the CSO or CISO of the company and talk to them only and then keep your mouth tightly sealed. This presents the opportunity to "network" for a future job and at the same time, it is a professional thing to do. Documentation sent to them is very important, and may even require a non-disclosure agreement, but it is the right thing to do. If it is an American company and possibly on the SEC board, you are once again doing the right thing. I am a SME on SARBANES-OXLEY and it is a necessity, and if they choose not to do anything about it, they are fined and could face imprisonment if it devulges customer information. Sam Cheyne
Hi All, Not sure if this question belongs here or not, but ... I am curious about an approach one would take in alerting a company that their web site/e-shop has multiple vulnerabilities. In other words should the individual who discovered the holes contact the parties involved directly or anonymously in fear of law suit? Also, would one be swimming in murky waters if they were looking at some reward for the discovery ... Cheers, Serg sbonlinux[AT]hotmail.com Your friendly neighborhood geek. _________________________________________________________________ We've 100s of NEW questions! Play Millionaire online to win $$$$. Click here http://sites.ninemsn.com.au/minisite/millionaire/default.asp --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- how to alert company of security hole Serg B. (Mar 18)
- <Possible follow-ups>
- Re: how to alert company of security hole scheyne (Mar 19)
- RE: how to alert company of security hole Jonathan Pokrzyk (Mar 19)
- Re: how to alert company of security hole Bob Radvanovsky (Mar 19)
- RE: how to alert company of security hole Meidinger Chris (Mar 22)