Home page logo
/
pen-test logo
Penetration Testing Mailing List

While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

List Archives

JanFebMarAprMayJunJulAugSepOctNovDec
20146252239
201349411123623
2012152524161616847362
201138113527272363441483914
2010127110121766077587782734296
20092041361562037617512515811521514289
200825416616816919380168156167217135301
2007141168194171276207225290166157140159
2006330462417318325552447421247317198282
20051811231277896328391379445271277278
20042961782061081411799933933357114208
20036015918911612614424137105131
200211611382521461181487467234947
200118213921413130619513628920415086
2000232501379449411

Latest Posts

Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Dotzero (Jul 31)
I'm going to agree with Mike on this. You need to be very careful in
how you proceed. Looking at it from the other side, the organization
that is being contacted does not know what your motivations are. From
time to time I've had "pen-testers" reach out over things they've
found (or think they've found). Some of the approaches have sounded
suspiciously like extortion. We've noticed reputable firms hitting our...

Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Mike Peppard (Jul 31)
Don't do this. No good deed goes unpunished.

This is not the only security list I am on and while I strongly
sympathize and would treat the OP to pizza for his friends and family
out of my own pocket for bringing this to me, the reaction from others
could be aggressive police and legal action.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review...

RE: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Mostyn, William Thomas \(Tom\) (Jul 30)
You could try reporting it at this site:

http://www.ic3.gov/default.aspx

Tom
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Tim
Sent: Wednesday, July 30, 2014 11:36 AM
To: Michał Rybiński
Cc: pen-test () securityfocus com
Subject: Re: How to deal with the company that doesn't react on providing them information about serious security
vulnerability?

Have you tried...

[Onapsis Security Advisory 2014-021] SAP HANA XS Missing encryption in form-based authentication Onapsis Research Labs (Jul 30)
Onapsis Security Advisory 2014-021: SAP HANA XS Missing encryption in
form-based authentication

This advisory can be downloaded in PDF format from
http://www.onapsis.com/.

By downloading this advisory from the Onapsis Resource Center, you will
gain access to beforehand information on upcoming advisories,
presentations and new research projects from the Onapsis Research Labs,
as well as exclusive access to special promotions for upcoming...

Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Tim (Jul 30)
Have you tried contacting their public relations department?
Marketing department? Try to get them on the phone. Those kinds of
folks have a big interest in protecting the brand of the company and
they have the ear of executives. Failing that, make the issue very
public on social media (as already suggested), but perhaps don't
release technical details right away.

Another avenue would be to contact government authorities who are in...

Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Dolev Farhi (Jul 27)
Hi,
If I were you, I wouldn't post this in fulldisclosure, at all. This is
due to the harm it may cause the involved and uninformed innocent
people, as you described.
If the company doesn't respond to emails try to look for official
channels: Facebook, Twitter, Linkedin? and send an informing message via
those channels.
There is always some kind of way.
If there is absolutely no way of contacting them, try contacting the
host...

Re: failure notice Nikola Milosevic (Jul 25)
Well I believe the right answer is nothing. If you publicly disclose it,
you are risking being sued.

It is ethically to disclose it to them, as you did it. However, company is
not liable of giving you price or even do anything about the vulnerability
(I guess until it is too late). They don't even need to write you thank you
mail. It is good practise to do something about, and even to give price to
motivate such researches and harden their...

How to deal with the company that doesn't react on providing them information about serious security vulnerability? Michał Rybiński (Jul 25)
Hi all,

I believe this is the best place to ask such question because I would
imagine that most of people reading this list have something to do
with discovering vulnerabilities and reporting them to parties
responsible.

On the beginning of the January I have discovered some security flaw
which allows basically anyone to access all personal client's data
(full name, full address, email address and a few more) of one of the
most known...

Ruxcon 2014 Final Call For Presentations cfp (Jul 15)
Ruxcon 2014 Call For Presentations
Melbourne, Australia, October 11th-12th
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the Final Call For Presentations for Ruxcon 2014.

This year the conference will take place over the weekend of the 11th and 12th of October at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 15th of September, 2014.

.[x]. About Ruxcon .[x].

Ruxcon is...

SmartPentester 1.0 released Smart Splat (Jun 27)
Hi All,

SmartPentester 1.0 is now available,Its an SSH based Penetration
Testing Framework for system like Kali and Backtrack
It provides a GUI for well known tools like
nmap,hping,tcpdump,volatility,hydra and etc. Consisting of modules
Penetration testing,
Malware Analysis, Forensic Analysis, Cyber Intelligence, Advanced
packet generation techniques and more.

Its free for personal or commercial use,
Any feedback is welcome

Thanks

website :...

[HITB-Announce] #HITB2014KUL round 1 CFP submission deadline in < 1 week Hafez Kamal (Jun 24)
The deadline to submit your papers for the the 12th and FINAL HITB
Security Conference in Malaysia is just around the corner! Paper
selection will be done in two rounds:

ROUND 1 DEADLINE: 30th June 2014
FINAL DEADLINE: 31st July 2014

HITBSecConf2014 - Malaysia takes place at Intercontinental Kuala Lumpur
from October 13th - 16th (13th / 14th = training // 15th / 16th =
conference)

http://conference.hitb.org/hitbsecconf2014kul/

---

As always,...

Embedded Device Security Conference 2014 // CFP Michael Eddington (Jun 10)
EDSC is an annual security conference focusing on embedded systems,
hardware, and anything behind the silicon curtain. Embedded systems
testing is a rapidly expanding area of the security industry and
staying current is important for engineers, researchers, and testers
alike. EDSC brings the top thought leaders in the embedded security
field together for two days to share knowledge, techniques, and
research.

http://edsconf.com

EDSC goals are...

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]