Security Basics mailing list archives

RE: Consulting Question

From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 9 May 2007 12:10:21 -0700

  If you're not already aware of Bugtraq, you should be.
It originated as a forum for publishing notices of bugs
and fixes, but has evolved into a community of disclosure
of security flaws.  A convention has evolved for
"responsible disclosure" which gives responsible vendors 
a chance to verify and fix an issue before the researcher 
goes public and gets credit for the discovery.

  What you absolutely want to avoid is anything that can
be construed as "I've broken your security, so give me 
money".  (And if it's remotely possible that what you say
can be construed this way, somebody WILL.)

  People have probably gotten away with signing on to a
paid security audit/pentest/whatever gig, and presenting 
as product of that work a vulnerability actually discovered
in advance.  But that's ethically shady and probably
illegal; if you have to disclose it to land the gig then you 
can as easily wind up facing prosecution as employment.

David Gillett

Current thread:

Consulting Question sammons (May 08)
- 3 questions on MSN, Security Logs and Federal help Ismael Gonzalez (May 09)
- Re: Consulting Question Fabio Cerullo (May 09)
- Re: Consulting Question Adam Pal-Moldovan (May 09)
  - Re: Consulting Question sammons (May 09)
- RE: Consulting Question Jones, David H (May 09)
  - RE: Consulting Question David Gillett (May 09)
- RE: Consulting Question Simmons, James (May 09)
- <Possible follow-ups>
- Re: Consulting Question me (May 09)
- RE: Consulting Question Al Saenz (May 09)
  - RE: Consulting Question Laundrup, Jens (May 09)
- RE: Consulting Question Craig Wright (May 09)
  - Re: Consulting Question Stephen Thornber (May 10)
- RE: Consulting Question Craig Wright (May 10)