Home page logo

bugtraq logo Bugtraq mailing list archives

RE: Informing Companies about security vulnerabilities...
From: bugtraq () cgisecurity net
Date: Wed, 4 Oct 2006 15:15:07 -0400 (EDT)

So you are admitting publicly that you and a class of students that you teach are illegally testing random public 
websites for the purpose of learning about security vulnerabilities? Sounds like you/your company need to speak
with a lawyer.  

- Robert 
http://www.cgisecurity.com/ Application Security news and more
http://www.cgisecurity.com/index.rss [RSS Security Feed]

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Joseph McCray
Sent: Wednesday, October 04, 2006 3:07 AM
To: pen-test () securityfocus com
Subject: Informing Companies about security vulnerabilities...

This probably won't sound like that big of a deal, but it still bothered me so I figured I'd ask the list. I was 
teaching a Web Application Security class last week and we were performing simple XXS, SQL Injection, etc on the 
vulnerable web apps I use for class.

Normally, I go to a live public website or two during the class and we talk about common tests to perform and how to 
approach certain types of websites. A common subject is how to handle large website with tons of dymanic content - so 
the class chose a major newspaper's website for the discussion. 

Usually when we do this we only find a few simple things (XXS for
example) - no big deal right. With this particular website we just kept finding another, after another and on and on. 
Over 600 instances of XXS, over 200 SQL Injection - this was bad. After a while it started to get boring there was so 

So I drafted a letter to the editor as well as several other prominent people at the newspaper. It detailed my finding 
and recommended some possible mitigation strategies. After emailing this I didn't hear anything for a few days, so I 
emailed it again and followed up with a phone call. After getting no response to the second email and then having been 
bounced around from department to department when I called I just said forget it.

Has anyone else gone through a similar situation? Was the company receptive? Other companies I've contacted in the past 
have been quite receptive - I'm just curious if other people have gone through this as well.

No need to fill the list with this, you can email me directly with your inputs and stories.

Joe McCray
Toll Free:  1-866-892-2132
Email:      joe () learnsecurityonline com
Web:        https://www.learnsecurityonline.com

Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]