Home page logo

pen-test logo Penetration Testing mailing list archives

Re: How to report a Vulnerability to a Company
From: firesidepeavey () yahoo com
Date: 8 Jan 2008 16:33:32 -0000

Hello. To answer your question, it really depends on your position within the company. I have released many 
vulnerabilities to my company; I have even handed our CIO a print out of my terminal from the hack. Being a Senior Unix 
Engineer, I can get away with reporting issues of that level because it is an assumed responsibility. If your not in 
that type of position, the first thing your company will probably want to know is why where you looking for 
vulnerabilities in the first place. I would recommend having a good answer ready for them. If your position does not 
have that responsibility, then you really have to have permission from the company before you can go wild on their 
network looking for hacks. My recommendation would be to talk with someone you trust in a higher technical position and 
see how they recommend you release this information based off of your companies policies and procedures. What you don't 
want to happen is they fix the vulnerability, then hang you up to
  dry for finding/hacking it. Be careful, sometimes even though its the ethical thing to do it might not be worth your 
job. If it is really that large of a hole, you can always submit it anonymously. 

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]