Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Disclosure of vulns and its legal aspects...
From: Sat Jagat Singh <flyingdervish () yahoo com>
Date: Wed, 30 May 2007 08:35:03 -0700 (PDT)

IMHO, I would consider probing random web sites for
security vulnerabilities as ethically questionable at
best.  To then promote yourself to the site owner
through what sounds like a veiled threat definitely
crosses the line.  No wonder companies reject those
kinds of demands.  If they are smart, they might turn
around and hire someone with a solid reputation to
hunt down the vulnerability.

In the U.S. there are no clear laws about conducting
this type of research; and so the chance of
prosecution is pretty low, but I wouldn't be surprised
at getting hit with a civil lawsuit.

As I understand the laws in the UK (definitely not my
sphere), you could be (and others have been) jailed
for the activity you've already conducted; making the
point that many people consider this activity not only
unethical, but criminal (kind of overboard, I think).

If you are just concerned about their security, I
would send an anonymous email and then forget about
it.  By no means should you publicize such a
vulnerability until you have disclosed it to the site
owner.
--- Dark Cold Ice <darkcoldice () gmail com> wrote:

Hi all,

It was earlier today whilst testing some websites as
a personal
research/leisure time that i found a quite critical
bug in a major
computer related website which will not be
disclosured until all the
legal aspects of the disclosure process itself are
dealt with.
After detecting the aforementioned vulnerability i
was, like many have
been before, "jailed" between the decisions of
reporting it or not, it
didn't take me long to decide to report it to the
vendor as the flaw
itself was on it's website... My first step and only
one so far was to
write the vendor the typical "praxis" e-mail saying
that there MIGHT
be a vulnerability SOMEWHERE on their website and
that i would like
carte blanche to investigate a bit more about it. I
am now stuck with
3 thoughts, first of all, if the answer is no ( most
common perhaps)
the vendor will be losing its chance to know where
and what flaw is
it... will i be stuck with that and not be able to
publicize it to the
security community?
Second thought, if the vendor says yes, i will
report them the
vulnerability but, what entitles me the right to do
it legally... a
simple e-mail would be enough perhaps...
Third and last thought, if they indeed agree to give
me the chance to
test and report them the vulnerability i will only
be entitled to
publicize it once solved, but even then, will it be
legal to make a
full disclosure?

Thank you all in advance,

Darkcoldice

PS: What would the difference be between the US and
UK laws on that
final aspect?


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020

------------------------------------------------------------------------





       
____________________________________________________________________________________Get the Yahoo! toolbar and be 
alerted to new email wherever you're surfing.
http://new.toolbar.yahoo.com/toolbar/features/mail/index.php

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]