Security Basics mailing list archives
RE: Consulting Question
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 9 May 2007 12:10:21 -0700
If you're not already aware of Bugtraq, you should be. It originated as a forum for publishing notices of bugs and fixes, but has evolved into a community of disclosure of security flaws. A convention has evolved for "responsible disclosure" which gives responsible vendors a chance to verify and fix an issue before the researcher goes public and gets credit for the discovery. What you absolutely want to avoid is anything that can be construed as "I've broken your security, so give me money". (And if it's remotely possible that what you say can be construed this way, somebody WILL.) People have probably gotten away with signing on to a paid security audit/pentest/whatever gig, and presenting as product of that work a vulnerability actually discovered in advance. But that's ethically shady and probably illegal; if you have to disclose it to land the gig then you can as easily wind up facing prosecution as employment. David Gillett
Current thread:
- Consulting Question sammons (May 08)
- 3 questions on MSN, Security Logs and Federal help Ismael Gonzalez (May 09)
- Re: Consulting Question Fabio Cerullo (May 09)
- Re: Consulting Question Adam Pal-Moldovan (May 09)
- Re: Consulting Question sammons (May 09)
- RE: Consulting Question Jones, David H (May 09)
- RE: Consulting Question David Gillett (May 09)
- RE: Consulting Question Simmons, James (May 09)
- <Possible follow-ups>
- Re: Consulting Question me (May 09)
- RE: Consulting Question Al Saenz (May 09)
- RE: Consulting Question Laundrup, Jens (May 09)
- RE: Consulting Question Craig Wright (May 09)
- Re: Consulting Question Stephen Thornber (May 10)
- RE: Consulting Question Craig Wright (May 10)