Penetration Testing mailing list archives
RE: How to report a Vulnerability to a Company
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Tue, 8 Jan 2008 11:44:07 -0800
It all depends on what you mean by "have credit for that." If "credit" means that you want to contribute to the overall security of the community, then you just report it to the company and move on. If you want credit for being "l33t" to your peers for finding the passsword for any user because of the poor coding skills of some dev team, you should probably be careful as the fact that you explored the vulnerability to the extent of finding that out in the first place means that you have almost certainly broken several laws and you could held legally responsible for your actions. As far as the "value" of that "credit," you have to ask yourself how much value there really is in finding a site subject to SQL Injection as it relates to peer review. At this point in the game, finding SQL Injection is trivial - I doubt it will give you any "street cred" at all - if it does, you're on the wrong street. That being said, as far as the customer is concerned, there is still obviously much work that needs to be done to educate developers on the secure development of data-driven web applications. I was on a job some time back (when I worked elsewhere) where I identified SQL Injection attacks that would have been devastating to the client and application team. Identifying the vulnerability to the team (as part of a professional engagement deliverable) was incredibly valuable to the client. In that respect, edification was the true value, and the "credit" taken was simply part of my job and duty to the client and overall community. However, publishing the vulnerability to the "world" with a "Hey, look at me, I found a SQL Injection vulnerability" if for the purposes of personal gain and self-promotion would have had no value to any "real" professional and would have ended up hurting the client - which would have been wrong, even with legal issues aside. t
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Vikas Singhal Sent: Monday, January 07, 2008 4:25 AM To: pen-test () securityfocus com Subject: How to report a Vulnerability to a Company Hi all, Lets say I found a vulnerability in some company's website ( e.g SQL Injection ) and that vulnerability is crucial to the company. How do I ethically report it to the Company and have credit for that. Can I go and say "Hey! I found a vuln in your website with gives me the password back for any user" Or doing this kinda stuff is not ethical at all unless you make a SLA with the company before doing any your own pentest. Can somebody give me any pointer in this direction. Regards Vikas Singhal
-----------------------------------------------------------------------
- This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads
-----------------------------------------------------------------------
-
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- How to report a Vulnerability to a Company Vikas Singhal (Jan 08)
- RE: How to report a Vulnerability to a Company benoni.martin (Jan 09)
- RE: How to report a Vulnerability to a Company Paul Melson (Jan 09)
- RE: How to report a Vulnerability to a Company Thor (Hammer of God) (Jan 09)
- RE: How to report a Vulnerability to a Company Barry Greene (bgreene) (Jan 09)
- Re: How to report a Vulnerability to a Company James Matthews (Jan 09)
- RE: How to report a Vulnerability to a Company Password Crackers, Inc. (Jan 09)
- <Possible follow-ups>
- Re: How to report a Vulnerability to a Company firesidepeavey (Jan 09)
- RE: How to report a Vulnerability to a Company Boaz Shunami (Jan 09)
- Re: How to report a Vulnerability to a Company Ed Telecommuter (Jan 10)
- Re: How to report a Vulnerability to a Company krymson (Jan 10)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)
- Message not available
- Fwd: How to report a Vulnerability to a Company Adam K (Jan 15)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)