Penetration Testing mailing list archives
Re: How to report a Vulnerability to a Company
From: firesidepeavey () yahoo com
Date: 8 Jan 2008 16:33:32 -0000
Hello. To answer your question, it really depends on your position within the company. I have released many vulnerabilities to my company; I have even handed our CIO a print out of my terminal from the hack. Being a Senior Unix Engineer, I can get away with reporting issues of that level because it is an assumed responsibility. If your not in that type of position, the first thing your company will probably want to know is why where you looking for vulnerabilities in the first place. I would recommend having a good answer ready for them. If your position does not have that responsibility, then you really have to have permission from the company before you can go wild on their network looking for hacks. My recommendation would be to talk with someone you trust in a higher technical position and see how they recommend you release this information based off of your companies policies and procedures. What you don't want to happen is they fix the vulnerability, then hang you up to dry for finding/hacking it. Be careful, sometimes even though its the ethical thing to do it might not be worth your job. If it is really that large of a hole, you can always submit it anonymously. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- How to report a Vulnerability to a Company Vikas Singhal (Jan 08)
- RE: How to report a Vulnerability to a Company benoni.martin (Jan 09)
- RE: How to report a Vulnerability to a Company Paul Melson (Jan 09)
- RE: How to report a Vulnerability to a Company Thor (Hammer of God) (Jan 09)
- RE: How to report a Vulnerability to a Company Barry Greene (bgreene) (Jan 09)
- Re: How to report a Vulnerability to a Company James Matthews (Jan 09)
- RE: How to report a Vulnerability to a Company Password Crackers, Inc. (Jan 09)
- <Possible follow-ups>
- Re: How to report a Vulnerability to a Company firesidepeavey (Jan 09)
- RE: How to report a Vulnerability to a Company Boaz Shunami (Jan 09)
- Re: How to report a Vulnerability to a Company Ed Telecommuter (Jan 10)
- Re: How to report a Vulnerability to a Company krymson (Jan 10)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)
- Message not available
- Fwd: How to report a Vulnerability to a Company Adam K (Jan 15)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)