Penetration Testing mailing list archives
Re: [PEN-TEST] Ethics Scenario
From: SM <meads () irn pdx edu>
Date: Mon, 2 Oct 2000 13:39:46 -0700
Why not? It seems that since you are not causing the security flaw, and just noticed it, that it would be perfectly appropriate to let them know who you are and what you do, as well as offer your services. I don't think this is chasing the ambulance type scenario, that would imply that you show up after "something" has happened to offer your services, which also seems appropriate. However, this is more trying to prevent the ambulance from even showing up in the first place. Now, if you notice a security problem, then exploit it, and then contacting them for a "solution" that would seem unethical, as well as possibly illegal. Just my thoughts... SM ----- Original Message ----- From: "Christopher M. Bergeron" <ChrisB () HGSS COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Monday, October 02, 2000 10:43 AM Subject: [PEN-TEST] Ethics Scenario Here's a scenario that I'd like to get peoples' input on: A) Our company does pen-tests, security auditing etc... B) Our team finds a vulnerability/hole on a website just by poking around / using the site. The question is this: Do we tell the website company who we are and that we have discovered a vulnerability and then offer to provide them assistance with the vulnerability (for pay of course). i.e. offering them a full pen-test or an IDS or something...? Or does this tend to fall into the "chasing ambulances" type of business marketing strategy?
Current thread:
- [PEN-TEST] Ethics Scenario Christopher M. Bergeron (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Edward Mitchell (Oct 02)
- Re: [PEN-TEST] Ethics Scenario SM (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Erik Tayler (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Erik Tayler (Oct 02)
- <Possible follow-ups>
- Re: [PEN-TEST] Ethics Scenario Dunker, Noah (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Steve (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Tonick, Mike (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Gallicchio, Florindo (2282) (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Darryl Rathbun (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Spy Fox (Oct 02)