Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: failure notice
From: Nikola Milosevic <nikola.milosevic86 () gmail com>
Date: Fri, 25 Jul 2014 16:26:29 +0100

Well I believe the right answer is nothing. If you publicly disclose it,
you are risking being sued.

It is ethically to disclose it to them, as you did it. However, company is
not liable of giving you price or even do anything about the vulnerability
(I guess until it is too late). They don't even need to write you thank you
mail. It is good practise to do something about, and even to give price to
motivate such researches and harden their security, but no one forces them
to do so.

I know not receiving answer is quite disappointing, but I don't think you
have any other "right" option for reacting to that.

Best regards,

Nikola Milošević


On 25 July 2014 16:21,  <MAILER-DAEMON () lists securityfocus com> wrote:
Hi. This is the qmail-send program at lists.securityfocus.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<pen-test () lists securityfocus com>:
ezmlm-reject: fatal: Sorry, I don't accept messages of MIME Content-Type 'multipart/alternative' (#5.2.3)

--- Below this line is a copy of the message.

Return-Path: <nikola.milosevic86 () gmail com>
Received: (qmail 14541 invoked from network); 25 Jul 2014 15:21:58 -0000
Received: from sf01mail1.securityfocus.com (HELO mail.securityfocus.com) (192.168.120.35)
  by lists.securityfocus.com with SMTP; 25 Jul 2014 15:21:58 -0000
Received: (qmail 31663 invoked by alias); 25 Jul 2014 15:21:58 -0000
Received: (qmail 31658 invoked from network); 25 Jul 2014 15:21:58 -0000
Received: from sf01mx2.securityfocus.com (192.168.120.32)
  by mail.securityfocus.com with SMTP; 25 Jul 2014 15:21:58 -0000
X-AuditID: c0a87820-b7b97ae000007517-38-53d27616e66d
Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44])
        by sf01mx2.securityfocus.com (Symantec Messaging Gateway) with SMTP id 60.56.29975.61672D35; Fri, 25 Jul 2014 
15:21:58 +0000 (GMT)
Received: by mail-oa0-f44.google.com with SMTP id eb12so5723828oac.3
        for <pen-test () securityfocus com>; Fri, 25 Jul 2014 08:21:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type;
        bh=LN1bYANfptzyu7cgy3/Vf+GrzSi1bK7FavQQlZSjo5k=;
        b=GhcJgI8FetDyXZdD8M05GH7kU+0Ey+kCES0Kr0ROEmEyOSlLmdzgnSjGyfphKNiwO7
         XJs/D2opPJYpi0K8HxQmfMw7OAX+BLjKO3mnG/QzYvGNRbiePBdK4EmcQEzSnzfbg8/D
         hcSH+i9EdEwY+C0PzWvJgK3XEnjIred81agBkMWMLwtILxU3a0PYA6s3fSZdxn1D7Cw9
         TG+1vGmwk8zns8XVhXbns57I5PQanNILJLmMGJ6DHLwMYL+Eb5et21FOP+uyNMoS/0IO
         w6MZBfu1RYpQiMBMe3JnXIWrNHlXO8Ppi/zWyZVsI7C0RuZA24vTmkETXQGURdCM4Kpa
         WZfQ==
X-Received: by 10.182.149.235 with SMTP id ud11mr23892314obb.50.1406301717486;
 Fri, 25 Jul 2014 08:21:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.67.196 with HTTP; Fri, 25 Jul 2014 08:21:37 -0700 (PDT)
In-Reply-To: <CACcv7ke1hEbyWwFZp41J3oSUy_ORf7tmq+015Hg7iSgyOsjnuQ () mail gmail com>
References: <CACcv7ke1hEbyWwFZp41J3oSUy_ORf7tmq+015Hg7iSgyOsjnuQ () mail gmail com>
From: Nikola Milosevic <nikola.milosevic86 () gmail com>
Date: Fri, 25 Jul 2014 16:21:37 +0100
Message-ID: <CAJWAiW48ZA62nXrRiL-naKBu=URGCz-tnLnUNZSEKtCEb8W=RA () mail gmail com>
Subject: Re: How to deal with the company that doesn't react on providing them
 information about serious security vulnerability?
To: =?UTF-8?B?TWljaGHFgiBSeWJpxYRza2k=?= <fishmanos79 () gmail com>
Cc: pen-test () securityfocus com
Content-Type: multipart/alternative; boundary=001a11348abc51692c04ff062208
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmphluJIrShJLcpLzFFi42K5GHpbR1es7FKwwaEtyhatHVtYHRg97p+5
        xR7AGMVlk5Kak1mWWqRvl8CVsXjBAaaCLwYVfz8sY2pgPKjRxcjJISFgItGwax8LhC0mceHe
        erYuRi4OIYGrjBI3D7UwQzhTGSU2n38N5rAITGeVOHmrmxmipUxief9qMJtXQFDi5MwnYKOE
        BLwlVv6eBWZzCgRKPPv3jQ0iHiCx9PRWRhCbTcBUYtH8dUwgNouAqsTWKxOA6jmA5gRI7Jvq
        CrJLWKCJUeLv/SNgvSICDhL/P2wA28UsICexeepUFgjbS2LFoqvMExgFZyE5YxaS1AJGplWM
        ksVpBoa5FUZ6xanJpUWZJZVp+cmlxXrJ+bmbGIHheGBFhcIOxgsXdQ8xMnFwXmKUlRLmZWRg
        YBDiKUgtys0siS8qzUkthoW4VAPjlLtLpxUfe7cslsn2du8drqNCUfyG87j+pM6xmu7GevbV
        bjN9fq659vmfz55ZvC1VjvV5xa6OMxr3PJycL6xwYE3PXb7z1wmdHZvZZxtfXxeW/sa112oW
        e9msn7Y/Gcq/5N9lYVp+6uzS9+Fh1z57dv2d+yh3Hvtxz/nd06tVd7iFiIQvkz+0QImlOCPR
        UIu5qDgRAP747voXAgAA

--001a11348abc51692c04ff062208
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Well I believe the right answer is nothing. If you publicly disclose it,
you are risking being sued.

It is ethically to disclose it to them, as you did it. However, company is
not liable of giving you price or even do anything about the vulnerability
(I guess until it is too late). They don't even need to write you thank you
mail. It is good practise to do something about, and even to give price to
motivate such researches and harden their security, but no one forces them
to do so.

I know not receiving answer is quite disappointing, but I don't think you
have any other "right" option for reacting to that.

Best regards,

Nikola Milo=C5=A1evi=C4=87


On 23 July 2014 11:06, Micha=C5=82 Rybi=C5=84ski <fishmanos79 () gmail com> wr=
ote:

Hi all,

I believe this is the best place to ask such question because I would
imagine that most of people reading this list have something to do
with discovering vulnerabilities and reporting them to parties
responsible.

On the beginning of the January I have discovered some security flaw
which allows basically anyone to access all personal client's data
(full name, full address, email address and a few more) of one of the
most known Internet IT magazine.
Although I have sent information about it to 3 different contact email
addresses in the two months time span, the only thing I got in return
was information that "We have received your email and have forwarded
it to our main office to review and advise." received on 1st of April.
Since then I haven't heard from them at all.

The easiest action I can think of is to just make a full disclosure of
the flaw and wait for the reaction but because this would allow almost
anyone to access personal data of tenths if not hundreds thousands of
subscribers (including me), I'd rather not do that...

Could anyone of you propose what would be the best solution in this
case or maybe generally this subject can be the start for the more
general question - what should be done with the companies that doesn't
react on such information sent?

Many thanks
MR

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Boa=
rd

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



--001a11348abc51692c04ff062208
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Well I believe the right answer is nothing. If y=
ou publicly disclose it, you are risking being sued. <br><br></div>It is et=
hically to disclose it to them, as you did it. However, company is not liab=
le of giving you price or even do anything about the vulnerability (I guess=
 until it is too late). They don&#39;t even need to write you thank you mai=
l. It is good practise to do something about, and even to give price to mot=
ivate such researches and harden their security, but no one forces them to =
do so. <br>

<br></div>I know not receiving answer is quite disappointing, but I don&#39=
;t think you have any other &quot;right&quot; option for reacting to that.<=
br><div><div class=3D"gmail_extra"><br clear=3D"all"><div><div dir=3D"ltr">=
<div>

Best regards,<br></div><div><br>Nikola Milo=C5=A1evi=C4=87</div></div></div=

<br><br><div class=3D"gmail_quote">On 23 July 2014 11:06, Micha=C5=82 Rybi=
=C5=84ski <span dir=3D"ltr">&lt;<a href=3D"mailto:fishmanos79 () gmail com" ta=
rget=3D"_blank">fishmanos79 () gmail com</a>&gt;</span> wrote:<br><blockquote =
class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid=
;padding-left:1ex">

Hi all,<br>
<br>
I believe this is the best place to ask such question because I would<br>
imagine that most of people reading this list have something to do<br>
with discovering vulnerabilities and reporting them to parties<br>
responsible.<br>
<br>
On the beginning of the January I have discovered some security flaw<br>
which allows basically anyone to access all personal client&#39;s data<br>
(full name, full address, email address and a few more) of one of the<br>
most known Internet IT magazine.<br>
Although I have sent information about it to 3 different contact email<br>
addresses in the two months time span, the only thing I got in return<br>
was information that &quot;We have received your email and have forwarded<b=
r>
it to our main office to review and advise.&quot; received on 1st of April.=
<br>
Since then I haven&#39;t heard from them at all.<br>
<br>
The easiest action I can think of is to just make a full disclosure of<br>
the flaw and wait for the reaction but because this would allow almost<br>
anyone to access personal data of tenths if not hundreds thousands of<br>
subscribers (including me), I&#39;d rather not do that...<br>
<br>
Could anyone of you propose what would be the best solution in this<br>
case or maybe generally this subject can be the start for the more<br>
general question - what should be done with the companies that doesn&#39;t<=
br>
react on such information sent?<br>
<br>
Many thanks<br>
MR<br>
<br>
------------------------------------------------------------------------<br=

This list is sponsored by: Information Assurance Certification Review Board=
<br>
<br>
Prove to peers and potential employers without a doubt that you can actuall=
y do a proper penetration test. IACRB CPT and CEPT certs require a full pra=
ctical examination in order to become certified.<br>
<br>
<a href=3D"http://www.iacertification.org"; target=3D"_blank">http://www.iac=
ertification.org</a><br>
------------------------------------------------------------------------<br=

<br>
</blockquote></div><br></div></div></div>

--001a11348abc51692c04ff062208--

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Re: failure notice Nikola Milosevic (Jul 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]