Penetration Testing mailing list archives
Re: Disclosure of vulns and its legal aspects...
From: "Morning Wood" <se_cur_ity () hotmail com>
Date: Wed, 30 May 2007 08:51:44 -0700
itself was on it's website... My first step and only one so far was to write the vendor the typical "praxis" e-mail saying that there MIGHT be a vulnerability SOMEWHERE on their website and that i would like carte blanche to investigate a bit more about it. I am now stuck with 3 thoughts, first of all, if the answer is no ( most common perhaps) the vendor will be losing its chance to know where and what flaw is it... will i be stuck with that and not be able to publicize it to the security community?
When this has happened to me, I try to phone the affected party. I detail the flaw, point them in the right direction ( email is a last resort ) , I do not say there MIGHT be a possible flaw SOMEWHERE ( good way to raise suspicion, they expect extortion next... ). I NEVER ask to fix or probe more, I do tell them I am a freelance pentester, I DO NOT offer services or offer to fix for PAY. Generally they understand, sometimes not ( questions like "why would anyone enter bad data in my web form?" and "we have the best devs, there is no problem" are common ), most helpfull are screenshots to show what you mean. As for reporting / disclosing publicly... unless the site uses a common script / cms / whathaveyou, the flaw is most likely site specific, there realy is no need to disclose the flaw to the public ( it simply serves no good )
cheers, m.woodhttp://exploitlabs.com
------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Disclosure of vulns and its legal aspects... Dark Cold Ice (May 29)
- RE: Disclosure of vulns and its legal aspects... James Wilburn (May 29)
- Re: Disclosure of vulns and its legal aspects... Lee Lawson (May 30)
- Re: Disclosure of vulns and its legal aspects... Steve Friedl (May 30)
- Re: Disclosure of vulns and its legal aspects... Lee Lawson (May 30)
- Re: Disclosure of vulns and its legal aspects... Lee Lawson (May 30)
- RE: Disclosure of vulns and its legal aspects... James Wilburn (May 29)
- Re: Disclosure of vulns and its legal aspects... Sat Jagat Singh (May 30)
- Re: Disclosure of vulns and its legal aspects... Morning Wood (May 30)
- <Possible follow-ups>
- Re: Disclosure of vulns and its legal aspects... krymson (May 30)
- Re: Disclosure of vulns and its legal aspects... cwright (May 31)