Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Disclosure of vulns and its legal aspects...
From: krymson () gmail com
Date: 30 May 2007 18:50:24 -0000

First, I fully agree that you should dump them the information anonymously and then walk away.

But...yup, there's a but.

If you were reporting this to me, I'd likely be just a teeny tiny bit curious about you. And chances are pretty good 
that you've left some tracks in my logs, especially if you were making interesting page calls or posts. Or some manager 
may ask his team, "Can we check to see if this has been exploited and track them down?" Your hits will be part of that 

While I agree, anonymous is great, if you've not maintained that anonymity in your testing, at least be aware you can 
still get into some trouble. This is one of those cases I might suggest tabling your findings and chalking it up as a 
learning experience on multiple levels.

<- snip ->

On Wed, May 30, 2007 at 09:14:39AM +0100, Lee Lawson wrote:
I would personally create an anoymous email account and send them some
information stating that you are a penetration tester that 'happened'
upon a possible security flaw in their website, but because of the
state of fear that some unenlightened organisations have about this
type of situation, you wish to remain anonymous at this point. Then
explain that if they are open to increasing the security of their
website, you will gladly analyse the security flaw further and give
them full disclosure, on the basis that you will be given written
permission prior to continuing further.

This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]