Penetration Testing mailing list archives
Re: How to report a Vulnerability to a Company
From: Liran Cohen <theog () rct co il>
Date: Sun, 13 Jan 2008 18:03:53 +0200
in my eyes, unless you make it a habit of yours to pen test systems you weren't paid for, you shouldn't even try and hack them (pen test - or whatever you would call it) if you decide do something illegal I would expect that it is all a matter of time and money, how much for how long that company is willing to pay in order to find out who infiltrated their systems.
Cheers, krymson () gmail com wrote:
Before you go the anonymous route, think about how truly anonymous you are. If you report a vulnerability to the company, and they (rightly) decide to scan their logs to see if someone has exploited that vulnerability, they may come across you in the logs. Since they don't know you, this might trigger an incident response process. If the exploit is big enough and the process continued enough, they might pursue you and disclose to their customers before they realize it was just you. Hopefully if you go this route, you did your "testing" from a non-identifiable Internet connection. (Note: I'm not condoning "testing" sites from an anonymous account, but the grey hat in me says that if you do decide to go this dubious route, do so with some foresight and use someone else's box/connection, whether that be a wifi hotspot, proxy, or ssh tunnel...) ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
-- Liran Cohen http://www.rct.co.il http://www.wood-wonders.net http://www.icon-a.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- RE: How to report a Vulnerability to a Company, (continued)
- RE: How to report a Vulnerability to a Company benoni.martin (Jan 09)
- RE: How to report a Vulnerability to a Company Paul Melson (Jan 09)
- RE: How to report a Vulnerability to a Company Thor (Hammer of God) (Jan 09)
- RE: How to report a Vulnerability to a Company Barry Greene (bgreene) (Jan 09)
- Re: How to report a Vulnerability to a Company James Matthews (Jan 09)
- RE: How to report a Vulnerability to a Company Password Crackers, Inc. (Jan 09)
- Re: How to report a Vulnerability to a Company firesidepeavey (Jan 09)
- RE: How to report a Vulnerability to a Company Boaz Shunami (Jan 09)
- Re: How to report a Vulnerability to a Company Ed Telecommuter (Jan 10)
- Re: How to report a Vulnerability to a Company krymson (Jan 10)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)
- Message not available
- Fwd: How to report a Vulnerability to a Company Adam K (Jan 15)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)