Security Basics mailing list archives
Re: Disclosure of vulns and its legal aspects...
From: "Lee Lawson" <leejlawson () gmail com>
Date: Wed, 30 May 2007 19:25:22 +0100
True, that might be a better idea, send everything you have found and make no further contact. Isn't it a great shame that we find it dangerous and difficult to inform organisations that their security has holes in it? Why do they immediately jump on the offensive and accuse the good Samaritan of hacking? Just accept the information and make yourself more secure! Simple. I suppose that sometimes, they just don't deserve the help. On 5/30/07, Steve Friedl <steve () unixwiz net> wrote:
On Wed, May 30, 2007 at 09:14:39AM +0100, Lee Lawson wrote: > I would personally create an anoymous email account and send them some > information stating that you are a penetration tester that 'happened' > upon a possible security flaw in their website, but because of the > state of fear that some unenlightened organisations have about this > type of situation, you wish to remain anonymous at this point. Then > explain that if they are open to increasing the security of their > website, you will gladly analyse the security flaw further and give > them full disclosure, on the basis that you will be given written > permission prior to continuing further. I hardly think that "written permission" granted after what would be received as an extortion attempt would be valid. If you are really intent on helping the party that's insecure, then the only quasi-safe way to do it is to send an anonymous report that has all the details, shows them how to reproduce the issue themselves, and urge them to contact their local security experts to have this looked at. The ONLY CHANCE of having your message being taken seriously is if there is no question about your motives, and the only way to attempt that is to remove yourself from the loop once you've sent off the report. That means no ongoing contact, no payment, no work. You leave it to them to fix. Even this is no guarantee - the great majority of unsolicited security reports is ignored even if presented clearly and with an unambiguous message disclaiming any personal gain. It's really just not worth the trouble. Steve --- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve () unixwiz net
-- Lee J Lawson leejlawson () gmail com "Give a man a fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." "Quidquid latine dictum sit, altum sonatur."
Current thread:
- Disclosure of vulns and its legal aspects... Dark Cold Ice (May 29)
- RE: Disclosure of vulns and its legal aspects... James Wilburn (May 30)
- Re: Disclosure of vulns and its legal aspects... Lee Lawson (May 30)
- Re: Disclosure of vulns and its legal aspects... Steve Friedl (May 30)
- Re: Disclosure of vulns and its legal aspects... Lee Lawson (May 30)
- RE: Disclosure of vulns and its legal aspects... Craig Wright (May 30)
- Re: Disclosure of vulns and its legal aspects... Lee Lawson (May 30)
- RE: Disclosure of vulns and its legal aspects... James Wilburn (May 30)
- <Possible follow-ups>
- RE: Disclosure of vulns and its legal aspects... Craig Wright (May 30)
- RE: Disclosure of vulns and its legal aspects... Craig Wright (May 30)
- Re: Disclosure of vulns and its legal aspects... Ansgar -59cobalt- Wiechers (May 31)