Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Ethics Scenario

From: SM <meads () irn pdx edu>
Date: Mon, 2 Oct 2000 13:39:46 -0700
    Why not?  It seems that since you are not causing the security flaw, and
just noticed it, that it would be perfectly appropriate to let them know who
you are and what you do, as well as offer your services.
    I don't think this is chasing the ambulance type scenario, that would
imply that you show up after "something" has happened to offer your
services, which also seems appropriate.  However, this is more trying to
prevent the ambulance from even showing up in the first place.
    Now, if you notice a security problem, then exploit it, and then
contacting them for a "solution" that would seem unethical, as well as
possibly illegal.
    Just my thoughts...

    SM


----- Original Message -----
From: "Christopher M. Bergeron" <ChrisB () HGSS COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Monday, October 02, 2000 10:43 AM
Subject: [PEN-TEST] Ethics Scenario


Here's a scenario that I'd like to get peoples' input on:

A) Our company does pen-tests, security auditing etc...
B) Our team finds a vulnerability/hole on a website just by poking around /
using the site.

The question is this:
Do we tell the website company who we are and that we have discovered a
vulnerability and then offer to provide them assistance with the
vulnerability (for pay of course).  i.e. offering them a full pen-test or an
IDS or something...?


Or does this tend to fall into the "chasing ambulances" type of business
marketing strategy?
Previous By Date Next
Previous By Thread Next

Current thread: