Re: He is not evil, checked a site without authorization, found an issue...then what?

[Josh More <jmore () starmind org>]

If the bank is based in the US, the Infragard project exists just for
this sort of situation.

-Josh

On Thu, Jan 12, 2012 at 2:33 PM, Sherif El-Deeb <archeldeeb () gmail com> wrote:
> Hi all,
>
> I have a friend "Bob" who found a vulnerability, (SQL injection, error based
> -> v.fast data dumping)  in a banking website that gave him access to all
> the customers' details among many other things, he is not evil, and he came
> to me for advice:
>
> 1- He know he shouldn't have done the test in the first place without
> authorization and he is afraid that he might get prosecuted if he reported
> it "happened before, right?".
> 2- He knows that this has to be reported because it leaves customer data
> exposed, and he has to act fast.
> 3- He would very much like to get rewarded :) not necessarily by money, a
> thank you letter will be just fine.
>
> I told him if we couldn't figure out a way to make sure he won't get
> prosecuted, He will just make the great sacrifice, be a good citizen and
> anonymously report it, and the only benefit he will gain will be sleeping at
> night feeling little better about his self knowing that because of the time
> and efforts he spent finding and reporting the issue, thousands and
> thousands of innocent people financial data are a bit more secure.
>
> any advices?
>
> Thanks in advance.
> Sherif Eldeeb
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com