Penetration Testing: Re: [PEN-TEST] Ethics Scenario

["Dunker, Noah" <NDunker () FISHNETSECURITY COM>]

I would personally call it chasing ambulances.  Personally, I subscribe to
about a dozen lists... including Attrition.org's Defaced Web Sites list.
Every so often, someone local shows up.  It Does take a lot to restrain the
hand-of-death (tm) from picking up the phone and calling them.

If you see that they are vulnerable from some other method... as in, you
decided to "just see" if they were vulnerable... You might (very politely)
offer your services.  Better yet... Give the info to one of your sales
people as a "Cold Call" lead:

Don't tell the sales guy that this person's vulnerable... Most of the sales
people I've seen can do a fine enough job of convincing someone that they
"need" the service.  If that doesn't open their mind to thinking about
possible threats, nothing will.

-----Original Message-----
From: Christopher M. Bergeron [mailto:ChrisB () HGSS COM]
Sent: Monday, October 02, 2000 12:44 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Ethics Scenario


Here's a scenario that I'd like to get peoples' input on:

A) Our company does pen-tests, security auditing etc...
B) Our team finds a vulnerability/hole on a website just by poking around /
using the site.

The question is this:
Do we tell the website company who we are and that we have discovered a
vulnerability and then offer to provide them assistance with the
vulnerability (for pay of course).  i.e. offering them a full pen-test or an
IDS or something...?


Or does this tend to fall into the "chasing ambulances" type of business
marketing strategy?