mailing list archives
Re: Deutsche Post Security Cup 2013
From: Daniel Preussker <daniel () preussker net>
Date: Wed, 20 Mar 2013 18:56:58 +0100
On 20.03.2013, at 14:59, Benji wrote:
I think its getting ridiculous, if you don't have a name in the industry you're getting sued for the vast majority
of bugs you solve...
And on the other hand, those same companies give away 3-15.000 for a single bug if the researcher happens to be
Well for instance we got all those folks that got into trouble with jail-breaking all kinds of devices, I know this is
not a bug per se but it still has a bad flavor to know that one aint allowed to do nothing with "his" hardware...
Then we got those governmental pages, who don't really care that people like us make their applications more secure...
mostly even for free...
Here I remember the MTISC thing... MTISC was/is a client-page for ManTech (one of the Top weapon-systems engineer and
deliverer for mostly any U.S.-Military). Somebody found out that "'OR 1=1" as username and password grants
administrator level access on the site, making you able to get any invoice and delivery receipt (like Iraqi bases from
the U.S.-military).. Well, I assume he had quite fun too...
Also PayPal, now they do bug-bounty, some time ago they were fairly pro-active with their lawyers if I remember right...
I've even had a threatening from a bavarian university because I informed them that having a root directory worldwide
readable via apache2 fancyindexing aint so intelligent...
There are ofc a lot more examples, one individual I used to talk to was close to jail due to an SQL-Injectection
I admit, I might have over exaggerated the situation a bit in rage.
[ Security Consultant, Network & Protocol Security and Cryptography
[ LPI & Novell Certified Linux Engineer and Researcher
[ +49 178 600 96 30
[ Daniel () Preussker Net
Description: This is a digitally signed message part
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/