Home page logo
pen-test logo
Penetration Testing Mailing List

While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

List Archives


Latest Posts

RE: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Mostyn, William Thomas \(Tom\) (Jul 30)
You could try reporting it at this site:


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Tim
Sent: Wednesday, July 30, 2014 11:36 AM
To: Michał Rybiński
Cc: pen-test () securityfocus com
Subject: Re: How to deal with the company that doesn't react on providing them information about serious security

Have you tried...

[Onapsis Security Advisory 2014-021] SAP HANA XS Missing encryption in form-based authentication Onapsis Research Labs (Jul 30)
Onapsis Security Advisory 2014-021: SAP HANA XS Missing encryption in
form-based authentication

This advisory can be downloaded in PDF format from

By downloading this advisory from the Onapsis Resource Center, you will
gain access to beforehand information on upcoming advisories,
presentations and new research projects from the Onapsis Research Labs,
as well as exclusive access to special promotions for upcoming...

Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Tim (Jul 30)
Have you tried contacting their public relations department?
Marketing department? Try to get them on the phone. Those kinds of
folks have a big interest in protecting the brand of the company and
they have the ear of executives. Failing that, make the issue very
public on social media (as already suggested), but perhaps don't
release technical details right away.

Another avenue would be to contact government authorities who are in...

Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Dolev Farhi (Jul 27)
If I were you, I wouldn't post this in fulldisclosure, at all. This is
due to the harm it may cause the involved and uninformed innocent
people, as you described.
If the company doesn't respond to emails try to look for official
channels: Facebook, Twitter, Linkedin? and send an informing message via
those channels.
There is always some kind of way.
If there is absolutely no way of contacting them, try contacting the

Re: failure notice Nikola Milosevic (Jul 25)
Well I believe the right answer is nothing. If you publicly disclose it,
you are risking being sued.

It is ethically to disclose it to them, as you did it. However, company is
not liable of giving you price or even do anything about the vulnerability
(I guess until it is too late). They don't even need to write you thank you
mail. It is good practise to do something about, and even to give price to
motivate such researches and harden their...

How to deal with the company that doesn't react on providing them information about serious security vulnerability? Michał Rybiński (Jul 25)
Hi all,

I believe this is the best place to ask such question because I would
imagine that most of people reading this list have something to do
with discovering vulnerabilities and reporting them to parties

On the beginning of the January I have discovered some security flaw
which allows basically anyone to access all personal client's data
(full name, full address, email address and a few more) of one of the
most known...

Ruxcon 2014 Final Call For Presentations cfp (Jul 15)
Ruxcon 2014 Call For Presentations
Melbourne, Australia, October 11th-12th
CQ Function Centre


The Ruxcon team is pleased to announce the Final Call For Presentations for Ruxcon 2014.

This year the conference will take place over the weekend of the 11th and 12th of October at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 15th of September, 2014.

.[x]. About Ruxcon .[x].

Ruxcon is...

SmartPentester 1.0 released Smart Splat (Jun 27)
Hi All,

SmartPentester 1.0 is now available,Its an SSH based Penetration
Testing Framework for system like Kali and Backtrack
It provides a GUI for well known tools like
nmap,hping,tcpdump,volatility,hydra and etc. Consisting of modules
Penetration testing,
Malware Analysis, Forensic Analysis, Cyber Intelligence, Advanced
packet generation techniques and more.

Its free for personal or commercial use,
Any feedback is welcome


website :...

[HITB-Announce] #HITB2014KUL round 1 CFP submission deadline in < 1 week Hafez Kamal (Jun 24)
The deadline to submit your papers for the the 12th and FINAL HITB
Security Conference in Malaysia is just around the corner! Paper
selection will be done in two rounds:

ROUND 1 DEADLINE: 30th June 2014
FINAL DEADLINE: 31st July 2014

HITBSecConf2014 - Malaysia takes place at Intercontinental Kuala Lumpur
from October 13th - 16th (13th / 14th = training // 15th / 16th =



As always,...

Embedded Device Security Conference 2014 // CFP Michael Eddington (Jun 10)
EDSC is an annual security conference focusing on embedded systems,
hardware, and anything behind the silicon curtain. Embedded systems
testing is a rapidly expanding area of the security industry and
staying current is important for engineers, researchers, and testers
alike. EDSC brings the top thought leaders in the embedded security
field together for two days to share knowledge, techniques, and


EDSC goals are...

More Lists

Dozens of other network security lists are archived at SecLists.Org.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]