Security Basics mailing list archives
Consulting Question
From: sammons () cs utk edu
Date: Tue, 8 May 2007 17:31:43 -0400 (EDT)
Hello All, I would like to get my feet wet doing some general security consultation work (network audits, penetration testing, etc.). My questions concerns a proper approach to potential clients. Consider this situation, I have found a few vulnerabilities in the company's web application product that could lead to potential identity theft and system compromise. This being a relatively large company, how would one go about informing the company about this vulnerability without them leaving you 100% out of the equation? In the case that the company is not interested in further third-party assistance I have a second question (concerning credit for finding such vulnerability). What is the proper/ethical protocol for publishing a software vulnerability? Are there any other methods that would insure credit while protecting the company from mass exploitation? I thank you in advanced for your input. Best Regards, Chris
Current thread:
- Consulting Question sammons (May 08)
- 3 questions on MSN, Security Logs and Federal help Ismael Gonzalez (May 09)
- Re: Consulting Question Fabio Cerullo (May 09)
- Re: Consulting Question Adam Pal-Moldovan (May 09)
- Re: Consulting Question sammons (May 09)
- RE: Consulting Question Jones, David H (May 09)
- RE: Consulting Question David Gillett (May 09)
- RE: Consulting Question Simmons, James (May 09)
- <Possible follow-ups>
- Re: Consulting Question me (May 09)
- RE: Consulting Question Al Saenz (May 09)
- RE: Consulting Question Laundrup, Jens (May 09)
(Thread continues...)