Penetration Testing mailing list archives
RE: How to report a Vulnerability to a Company
From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 8 Jan 2008 14:43:52 -0500
Lets say I found a vulnerability in some company's website ( e.g SQL
Injection ) and that
vulnerability is crucial to the company. How do I ethically report it to
the Company and have
credit for that. Can I go and say "Hey! I found a vuln in your website with gives me the
password back for any > user" Or doing this kinda stuff is not ethical at all unless you make a SLA with the company
before doing any your own pentest.
If you didn't have express written permission from the owner of the site, then I think you've already blown your chance at being ethical here. And to now try and also receive credit for your finding means that you've got to be willing to risk their reaction, which may not go your way at all. I think your best option is a combination of humility and anonymity and a lesson learned about why you don't test without permission. PaulM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- How to report a Vulnerability to a Company Vikas Singhal (Jan 08)
- RE: How to report a Vulnerability to a Company benoni.martin (Jan 09)
- RE: How to report a Vulnerability to a Company Paul Melson (Jan 09)
- RE: How to report a Vulnerability to a Company Thor (Hammer of God) (Jan 09)
- RE: How to report a Vulnerability to a Company Barry Greene (bgreene) (Jan 09)
- Re: How to report a Vulnerability to a Company James Matthews (Jan 09)
- RE: How to report a Vulnerability to a Company Password Crackers, Inc. (Jan 09)
- <Possible follow-ups>
- Re: How to report a Vulnerability to a Company firesidepeavey (Jan 09)
- RE: How to report a Vulnerability to a Company Boaz Shunami (Jan 09)
- Re: How to report a Vulnerability to a Company Ed Telecommuter (Jan 10)
- Re: How to report a Vulnerability to a Company krymson (Jan 10)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)
- Message not available
- Fwd: How to report a Vulnerability to a Company Adam K (Jan 15)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)