Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to report a Vulnerability to a Company

From: krymson () gmail com
Date: 9 Jan 2008 22:37:21 -0000
Before you go the anonymous route, think about how truly anonymous you are. If you report a vulnerability to the 
company, and they (rightly) decide to scan their logs to see if someone has exploited that vulnerability, they may come 
across you in the logs. Since they don't know you, this might trigger an incident response process. If the exploit is 
big enough and the process continued enough, they might pursue you and disclose to their customers before they realize 
it was just you. Hopefully if you go this route, you did your "testing" from a non-identifiable Internet connection.

(Note: I'm not condoning "testing" sites from an anonymous account, but the grey hat in me says that if you do decide 
to go this dubious route, do so with some foresight and use someone else's box/connection, whether that be a wifi 
hotspot, proxy, or ssh tunnel...)

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: