Home page logo
  • Nmap Security Scanner
  • Security Lists
  • Security Tools
  • Site News
  • Advertising
  • About/Contact
  • Sponsors:



/

fulldisclosure logo Full Disclosure mailing list archives

Re: Deutsche Post Security Cup 2013
From: Daniel Preussker <daniel () preussker net>
Date: Wed, 20 Mar 2013 18:56:58 +0100
On 20.03.2013, at 14:59, Benji wrote:


I think its getting ridiculous, if you don't have a name in the industry you're getting sued for the vast majority 
of bugs you solve...
And on the other hand, those same companies give away 3-15.000 for a single bug if the researcher happens to be 
known :|


Examples please


Well for instance we got all those folks that got into trouble with jail-breaking all kinds of devices, I know this is 
not a bug per se but it still has a bad flavor to know that one aint allowed to do nothing with "his" hardware...
Then we got those governmental pages, who don't really care that people like us make their applications more secure... 
mostly even for free...
Here I remember the MTISC thing... MTISC was/is a client-page for ManTech (one of the Top weapon-systems engineer and 
deliverer for mostly any U.S.-Military). Somebody found out that "'OR 1=1" as username and password grants 
administrator level access on the site, making you able to get any invoice and delivery receipt (like Iraqi bases from 
the U.S.-military).. Well, I assume he had quite fun too...
Also PayPal, now they do bug-bounty, some time ago they were fairly pro-active with their lawyers if I remember right...

I've even had a threatening from a bavarian university because I informed them that having a root directory worldwide 
readable via apache2 fancyindexing aint so intelligent...

There are ofc a lot more examples, one individual I used to talk to was close to jail due to an SQL-Injectection 
disclosure...


I admit, I might have over exaggerated the situation a bit in rage.

Kind regards,

Daniel Preussker

[ Security Consultant, Network & Protocol Security and Cryptography
[ LPI & Novell Certified Linux Engineer and Researcher
[ +49 178 600 96 30
[ Daniel () Preussker Net
[ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1

Attachment: PGP.sig
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]