Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: How to report a Vulnerability to a Company
From: "Barry Greene (bgreene)" <bgreene () cisco com>
Date: Tue, 8 Jan 2008 11:44:02 -0800

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If there is no information on the Web site for reporting the
vulnerability, then pick a CERT team, contact them, and get them to
help you contact that company. That covers you A$%^ and makes it
easier to contact the company. There is a different between someone
individual cold calling a vulnerability and someone like US CERT
calling someone. 

My $.02.


 

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of Vikas Singhal
Sent: Monday, January 07, 2008 4:25 AM
To: pen-test () securityfocus com
Subject: How to report a Vulnerability to a Company

Hi all,

Lets say I found a vulnerability in some company's website ( 
e.g SQL Injection ) and that vulnerability is crucial to the 
company. How do I ethically report it to the Company and have 
credit for that.

Can I go and say "Hey! I found a vuln in your website with 
gives me the password back for any user" Or doing this kinda 
stuff is not ethical at all unless you make a SLA with the 
company before doing any your own pentest.

Can somebody give me any pointer in this direction.

Regards
Vikas Singhal

--------------------------------------------------------------
----------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
--------------------------------------------------------------
----------


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBR4PSgr/UEA/xivvmEQLL6wCfdhpDf71ptSCtK61suSUToQqqRSsAoIth
zvyuQfCQBqNhp7e3mceNjP4g
=w8PH
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault