
Penetration Testing mailing list archives
Re: Informing Companies about security vulnerabilities...
From: Steve Friedl <steve () unixwiz net>
Date: Thu, 5 Oct 2006 11:35:41 -0700
On Thu, Oct 05, 2006 at 10:06:04AM +0200, Andreas Putzo wrote:
On Oct 04, pand0ra wrote:"You can try to set them an ultimatum pretending to disclose the holes to the public. Perhaps they are more willing to react if they are forced to do so." Ethically, that is bad. You should never force (or threaten) anyone into doing something they don't want to. I agree completely with Jay and Dan.This depends greatly on the information that can be retrieved via a vulnerable website IMHO. What if you can get personal data of the customers of the company or you can do financial harm to them? Then it would be unethical to do nothing against it. In general i agree with you that it is never nice to force someone to do something. However, i don't want to put this threat into a discussion ethical vs. unethical behavior..
Putting aside the ethics of using a public website for classwork, assuming you have something to report, there's still a question of how hard one ought to press. This depends not on how insecure the site is, but on who would be harmed by potential compromise. If a website is insecure - even massively - but the only party harmed is the website owner itself, then it's their problem and we really ought not do much more than pass on the news. "I told them, they blew me off, they got hacked. Oh well." But if third parties could be harmed, then it may warrant stepping it up a notch: if the website's customers have credit card numbers exposed, then raising the issue with the CC-issuing banks might be the way to handle this. Going public is only warranted in extraordinary cases, if only because it's hard to separate our own desire for our fifteen minutes from whatever benevolent intentions we might have. In most cases, *we* have no dog in that fight, so shouldn't seek to put ourselves in the middle when there are more direct ways to protect the innocent. Steve --- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve () unixwiz net ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Informing Companies about security vulnerabilities... Joseph McCray (Oct 04)
- RE: Informing Companies about security vulnerabilities... Clemens, Dan (Oct 04)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 04)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 04)
- Re: Informing Companies about security vulnerabilities... Jex (Oct 04)
- Re: Informing Companies about security vulnerabilities... Wolf Halton (Oct 04)
- Re: Informing Companies about security vulnerabilities... Micro Kluge (Oct 06)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 04)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 05)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 05)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 05)
- Re: Informing Companies about security vulnerabilities... s-williams (Oct 05)
- Re: Informing Companies about security vulnerabilities... Dan Catalin Vasile (Oct 05)
- <Possible follow-ups>
- RE: Informing Companies about security vulnerabilities... bugtraq (Oct 04)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... gat0r (Oct 06)
- Re: Informing Companies about security vulnerabilities... Dragos Ruiu (Oct 05)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... jay.tomas (Oct 04)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)
- Re: Informing Companies about security vulnerabilities... Stefano Zanero (Oct 05)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)