Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Disclosure of vulns and its legal aspects...
From: "Morning Wood" <se_cur_ity () hotmail com>
Date: Wed, 30 May 2007 08:51:44 -0700

itself was on it's website... My first step and only one so far was to
write the vendor the typical "praxis" e-mail saying that there MIGHT
be a vulnerability SOMEWHERE on their website and that i would like
carte blanche to investigate a bit more about it. I am now stuck with
3 thoughts, first of all, if the answer is no ( most common perhaps)
the vendor will be losing its chance to know where and what flaw is
it... will i be stuck with that and not be able to publicize it to the
security community?

When this has happened to me, I try to phone the affected party. I detail the flaw, point them in the right direction ( email is a last resort ) , I do not say there MIGHT be a possible flaw SOMEWHERE ( good way to raise suspicion, they expect extortion next... ). I NEVER ask to fix or probe more, I do tell them I am a freelance pentester, I DO NOT offer services or offer to fix for PAY. Generally they understand, sometimes not ( questions like "why would anyone enter bad data in my web form?" and "we have the best devs, there is no problem" are common ), most helpfull are screenshots to show what you mean. As for reporting / disclosing publicly... unless the site uses a common script / cms / whathaveyou, the flaw is most likely site specific, there realy is no need to disclose the flaw to the public ( it simply serves no good )


This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]