RE: Consulting Question

["Jones, David H" <Jones.David.H () principal com>]

I'd be very careful, it sounds like you may be treading on some very
thin ice.  I don't know if this is a hypothetical situation or not, but
your wording leaves me to believe that you've already found this
vulnerability on said companies website.

If this is the case, the fact that you state "how do I let them know"
leads me to believe that you have no prior agreement with this company
to do any sort of assessment or pen test.  You might very well be in hot
soup if you approach them and say "yeah, I found this stuff wrong with
your web app."  They might not see it as such a friendly gesture.  Since
you were not authorized to do this "research" for them, they just may
send Bruno after you.

In other words, you've performed a hack on their system, without their
prior knowledge or any type of written agreement, and if you try to hold
it over their heads to make a buck, well... That's extortion.

> From Wikipedia:

"In the United States, extortion may also be committed as a federal
crime across a computer system, phone, by mail or in using any
instrument of "interstate commerce". Extortion requires that the
individual sent the message "willingly" and "knowingly" as elements of
the crime. The message only has to be sent (but does not have to reach
the intended recipient) to commit the crime of extortion."

Be careful.

As for disclosure, if this is a third party application, you may wish to
contact the vendor.  If, after a suitable amount of time, if they do not
respond, you can publish your findings through the full disclosure
route.  Again, be careful with this.  If you found the vulnerability on
a system you don't own, and it's not a wide deployment, full disclosure
of the vulnerability may be tracked back to you.

In any case, good luck.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of sammons () cs utk edu
Sent: Tuesday, May 08, 2007 4:32 PM
To: security-basics () securityfocus com
Subject: Consulting Question

Hello All,

  I would like to get my feet wet doing some general security
consultation
work (network audits, penetration testing, etc.). My questions concerns
a proper approach to potential clients. Consider this situation, I have
found a few vulnerabilities in the company's web application product
that could lead to potential identity theft and system compromise. This
being a relatively large company, how would one go about informing the
company about this vulnerability without them leaving you 100% out of
the equation?

  In the case that the company is not interested in further third-party
assistance I have a second question (concerning credit for finding such
vulnerability). What is the proper/ethical protocol for publishing a
software vulnerability? Are there any other methods that would insure
credit while protecting the company from mass exploitation? I thank you
in advanced for your input.

Best Regards,

Chris


-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect () principal com and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.

While this communication may be used to promote or market a transaction
or an idea that is discussed in the publication, it is intended to provide
general information about the subject matter covered and is provided with
the understanding that The Principal is not rendering legal, accounting,
or tax advice. It is not a marketed opinion and may not be used to avoid
penalties under the Internal Revenue Code. You should consult with
appropriate counsel or other advisors on all matters pertaining to legal,
tax, or accounting obligations and requirements.