Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: How to report a Vulnerability to a Company
From: Liran Cohen <theog () rct co il>
Date: Sun, 13 Jan 2008 18:03:53 +0200

in my eyes, unless you make it a habit of yours to pen test systems you weren't paid for, you shouldn't even try and hack them (pen test - or whatever you would call it) if you decide do something illegal I would expect that it is all a matter of time and money, how much for how long that company is willing to pay in order to find out who infiltrated their systems.

Cheers,

krymson () gmail com wrote:
Before you go the anonymous route, think about how truly anonymous you are. If you report a vulnerability to the company, and they 
(rightly) decide to scan their logs to see if someone has exploited that vulnerability, they may come across you in the logs. Since 
they don't know you, this might trigger an incident response process. If the exploit is big enough and the process continued 
enough, they might pursue you and disclose to their customers before they realize it was just you. Hopefully if you go this route, you 
did your "testing" from a non-identifiable Internet connection.

(Note: I'm not condoning "testing" sites from an anonymous account, but the grey hat in me says that if you do decide to go 
this dubious route, do so with some foresight and use someone else's box/connection, whether that be a wifi hotspot, proxy, or ssh 
tunnel...)

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



--
Liran Cohen
http://www.rct.co.il
http://www.wood-wonders.net
http://www.icon-a.com


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]