Re: Disclosure of vulns and its legal aspects...

["Morning Wood" <se_cur_ity () hotmail com>]

> itself was on it's website... My first step and only one so far was to
> write the vendor the typical "praxis" e-mail saying that there MIGHT
> be a vulnerability SOMEWHERE on their website and that i would like
> carte blanche to investigate a bit more about it. I am now stuck with
> 3 thoughts, first of all, if the answer is no ( most common perhaps)
> the vendor will be losing its chance to know where and what flaw is
> it... will i be stuck with that and not be able to publicize it to the
> security community?

When this has happened to me, I try to phone the affected party. I detail 
the flaw, point them in the right direction ( email is a last resort ) , I 
do not say there MIGHT be a possible flaw SOMEWHERE ( good way to raise 
suspicion, they expect extortion next... ). I NEVER ask to fix or probe 
more, I do tell them I am a freelance pentester, I DO NOT offer services or 
offer to fix for PAY. Generally they understand, sometimes not ( questions 
like "why would anyone enter bad data in my web form?" and "we have the best 
devs, there is no problem" are common ), most helpfull are screenshots to 
show what you mean. As for reporting / disclosing publicly... unless the 
site uses a common script / cms / whathaveyou, the flaw is most likely site 
specific, there realy is no need to disclose the flaw to the public ( it 
simply serves no good )

cheers,
m.wood
http://exploitlabs.com 


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------