Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: How to report a Vulnerability to a Company

From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 8 Jan 2008 14:43:52 -0500
Lets say I found a vulnerability in some company's website ( e.g SQL

Injection ) and that 

vulnerability is crucial to the company. How do I ethically report it to

the Company and have 

credit for that.

Can I go and say "Hey! I found a vuln in your website with gives me the

password back for any > user" Or doing this kinda stuff is not ethical at
all unless you make a SLA with the company 

before doing any your own pentest.


If you didn't have express written permission from the owner of the site,
then I think you've already blown your chance at being ethical here.  And to
now try and also receive credit for your finding means that you've got to be
willing to risk their reaction, which may not go your way at all.

I think your best option is a combination of humility and anonymity and a
lesson learned about why you don't test without permission.

PaulM


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: