Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reporting website vulnerabilities

From: "Peter Manis" <manis () digital39 com>
Date: Tue, 4 Sep 2007 18:34:01 -0400
I sent an email to their privacy department and they are supposed to
contact me.  If they refuse to take action, then they will feel it is
not a security issue and there is no reason I shouldn't make the
knowledge public.  After it is taken care of I may write about it so
that people signed up as an affiliate can change their passwords.

On 9/4/07, benoit noteris <noteris () gmail com> wrote:

hi
i think good think to do may be to contact the administrator instead of
public announcement
but you do what ever you want.

ben
have a nice day

2007/9/2, Peter Manis < manis () digital39 com>:


I am an affiliate of a website that I guess you could consider
popular.  Everything is passed over an insecure connection, such as
the login, changing passwords, home address, and some other
information that is more sensitive.

I have plans to contact the company and inform them about all of this,
however they should already know which makes it that much worse.  I
also feel the public should know since their information is what is
being transmitted over an insecure connection.  What is a good
procedure for handling things like this?  I have heard companies can
sue if you release vulnerabilities to the public.

- Pete



------------------------------------------------------------------------

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads


------------------------------------------------------------------------








------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: