Penetration Testing mailing list archives
RE: How to report a Vulnerability to a Company
From: "Barry Greene (bgreene)" <bgreene () cisco com>
Date: Tue, 8 Jan 2008 11:44:02 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If there is no information on the Web site for reporting the vulnerability, then pick a CERT team, contact them, and get them to help you contact that company. That covers you A$%^ and makes it easier to contact the company. There is a different between someone individual cold calling a vulnerability and someone like US CERT calling someone. My $.02.
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Vikas Singhal Sent: Monday, January 07, 2008 4:25 AM To: pen-test () securityfocus com Subject: How to report a Vulnerability to a Company Hi all, Lets say I found a vulnerability in some company's website ( e.g SQL Injection ) and that vulnerability is crucial to the company. How do I ethically report it to the Company and have credit for that. Can I go and say "Hey! I found a vuln in your website with gives me the password back for any user" Or doing this kinda stuff is not ethical at all unless you make a SLA with the company before doing any your own pentest. Can somebody give me any pointer in this direction. Regards Vikas Singhal -------------------------------------------------------------- ---------- This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads -------------------------------------------------------------- ----------
-----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBR4PSgr/UEA/xivvmEQLL6wCfdhpDf71ptSCtK61suSUToQqqRSsAoIth zvyuQfCQBqNhp7e3mceNjP4g =w8PH -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- How to report a Vulnerability to a Company Vikas Singhal (Jan 08)
- RE: How to report a Vulnerability to a Company benoni.martin (Jan 09)
- RE: How to report a Vulnerability to a Company Paul Melson (Jan 09)
- RE: How to report a Vulnerability to a Company Thor (Hammer of God) (Jan 09)
- RE: How to report a Vulnerability to a Company Barry Greene (bgreene) (Jan 09)
- Re: How to report a Vulnerability to a Company James Matthews (Jan 09)
- RE: How to report a Vulnerability to a Company Password Crackers, Inc. (Jan 09)
- <Possible follow-ups>
- Re: How to report a Vulnerability to a Company firesidepeavey (Jan 09)
- RE: How to report a Vulnerability to a Company Boaz Shunami (Jan 09)
- Re: How to report a Vulnerability to a Company Ed Telecommuter (Jan 10)
- Re: How to report a Vulnerability to a Company krymson (Jan 10)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)
- Message not available
- Fwd: How to report a Vulnerability to a Company Adam K (Jan 15)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)