Penetration Testing mailing list archives
Re: Reporting website vulnerabilities
From: "Peter Manis" <manis () digital39 com>
Date: Tue, 4 Sep 2007 18:34:01 -0400
I sent an email to their privacy department and they are supposed to contact me. If they refuse to take action, then they will feel it is not a security issue and there is no reason I shouldn't make the knowledge public. After it is taken care of I may write about it so that people signed up as an affiliate can change their passwords. On 9/4/07, benoit noteris <noteris () gmail com> wrote:
hi i think good think to do may be to contact the administrator instead of public announcement but you do what ever you want. ben have a nice day 2007/9/2, Peter Manis < manis () digital39 com>:I am an affiliate of a website that I guess you could consider popular. Everything is passed over an insecure connection, such as the login, changing passwords, home address, and some other information that is more sensitive. I have plans to contact the company and inform them about all of this, however they should already know which makes it that much worse. I also feel the public should know since their information is what is being transmitted over an insecure connection. What is a good procedure for handling things like this? I have heard companies can sue if you release vulnerabilities to the public. - Pete------------------------------------------------------------------------This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Reporting website vulnerabilities Peter Manis (Sep 04)
- Message not available
- Re: Reporting website vulnerabilities Peter Manis (Sep 05)
- Message not available