Penetration Testing mailing list archives
Re: failure notice
From: Nikola Milosevic <nikola.milosevic86 () gmail com>
Date: Fri, 25 Jul 2014 16:26:29 +0100
Well I believe the right answer is nothing. If you publicly disclose it, you are risking being sued. It is ethically to disclose it to them, as you did it. However, company is not liable of giving you price or even do anything about the vulnerability (I guess until it is too late). They don't even need to write you thank you mail. It is good practise to do something about, and even to give price to motivate such researches and harden their security, but no one forces them to do so. I know not receiving answer is quite disappointing, but I don't think you have any other "right" option for reacting to that. Best regards, Nikola Milošević On 25 July 2014 16:21, <MAILER-DAEMON () lists securityfocus com> wrote:
Hi. This is the qmail-send program at lists.securityfocus.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <pen-test () lists securityfocus com>: ezmlm-reject: fatal: Sorry, I don't accept messages of MIME Content-Type 'multipart/alternative' (#5.2.3) --- Below this line is a copy of the message. Return-Path: <nikola.milosevic86 () gmail com> Received: (qmail 14541 invoked from network); 25 Jul 2014 15:21:58 -0000 Received: from sf01mail1.securityfocus.com (HELO mail.securityfocus.com) (192.168.120.35) by lists.securityfocus.com with SMTP; 25 Jul 2014 15:21:58 -0000 Received: (qmail 31663 invoked by alias); 25 Jul 2014 15:21:58 -0000 Received: (qmail 31658 invoked from network); 25 Jul 2014 15:21:58 -0000 Received: from sf01mx2.securityfocus.com (192.168.120.32) by mail.securityfocus.com with SMTP; 25 Jul 2014 15:21:58 -0000 X-AuditID: c0a87820-b7b97ae000007517-38-53d27616e66d Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by sf01mx2.securityfocus.com (Symantec Messaging Gateway) with SMTP id 60.56.29975.61672D35; Fri, 25 Jul 2014 15:21:58 +0000 (GMT) Received: by mail-oa0-f44.google.com with SMTP id eb12so5723828oac.3 for <pen-test () securityfocus com>; Fri, 25 Jul 2014 08:21:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=LN1bYANfptzyu7cgy3/Vf+GrzSi1bK7FavQQlZSjo5k=; b=GhcJgI8FetDyXZdD8M05GH7kU+0Ey+kCES0Kr0ROEmEyOSlLmdzgnSjGyfphKNiwO7 XJs/D2opPJYpi0K8HxQmfMw7OAX+BLjKO3mnG/QzYvGNRbiePBdK4EmcQEzSnzfbg8/D hcSH+i9EdEwY+C0PzWvJgK3XEnjIred81agBkMWMLwtILxU3a0PYA6s3fSZdxn1D7Cw9 TG+1vGmwk8zns8XVhXbns57I5PQanNILJLmMGJ6DHLwMYL+Eb5et21FOP+uyNMoS/0IO w6MZBfu1RYpQiMBMe3JnXIWrNHlXO8Ppi/zWyZVsI7C0RuZA24vTmkETXQGURdCM4Kpa WZfQ== X-Received: by 10.182.149.235 with SMTP id ud11mr23892314obb.50.1406301717486; Fri, 25 Jul 2014 08:21:57 -0700 (PDT) MIME-Version: 1.0 Received: by 10.202.67.196 with HTTP; Fri, 25 Jul 2014 08:21:37 -0700 (PDT) In-Reply-To: <CACcv7ke1hEbyWwFZp41J3oSUy_ORf7tmq+015Hg7iSgyOsjnuQ () mail gmail com> References: <CACcv7ke1hEbyWwFZp41J3oSUy_ORf7tmq+015Hg7iSgyOsjnuQ () mail gmail com> From: Nikola Milosevic <nikola.milosevic86 () gmail com> Date: Fri, 25 Jul 2014 16:21:37 +0100 Message-ID: <CAJWAiW48ZA62nXrRiL-naKBu=URGCz-tnLnUNZSEKtCEb8W=RA () mail gmail com> Subject: Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? To: =?UTF-8?B?TWljaGHFgiBSeWJpxYRza2k=?= <fishmanos79 () gmail com> Cc: pen-test () securityfocus com Content-Type: multipart/alternative; boundary=001a11348abc51692c04ff062208 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmphluJIrShJLcpLzFFi42K5GHpbR1es7FKwwaEtyhatHVtYHRg97p+5 xR7AGMVlk5Kak1mWWqRvl8CVsXjBAaaCLwYVfz8sY2pgPKjRxcjJISFgItGwax8LhC0mceHe erYuRi4OIYGrjBI3D7UwQzhTGSU2n38N5rAITGeVOHmrmxmipUxief9qMJtXQFDi5MwnYKOE BLwlVv6eBWZzCgRKPPv3jQ0iHiCx9PRWRhCbTcBUYtH8dUwgNouAqsTWKxOA6jmA5gRI7Jvq CrJLWKCJUeLv/SNgvSICDhL/P2wA28UsICexeepUFgjbS2LFoqvMExgFZyE5YxaS1AJGplWM ksVpBoa5FUZ6xanJpUWZJZVp+cmlxXrJ+bmbGIHheGBFhcIOxgsXdQ8xMnFwXmKUlRLmZWRg YBDiKUgtys0siS8qzUkthoW4VAPjlLtLpxUfe7cslsn2du8drqNCUfyG87j+pM6xmu7GevbV bjN9fq659vmfz55ZvC1VjvV5xa6OMxr3PJycL6xwYE3PXb7z1wmdHZvZZxtfXxeW/sa112oW e9msn7Y/Gcq/5N9lYVp+6uzS9+Fh1z57dv2d+yh3Hvtxz/nd06tVd7iFiIQvkz+0QImlOCPR UIu5qDgRAP747voXAgAA --001a11348abc51692c04ff062208 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Well I believe the right answer is nothing. If you publicly disclose it, you are risking being sued. It is ethically to disclose it to them, as you did it. However, company is not liable of giving you price or even do anything about the vulnerability (I guess until it is too late). They don't even need to write you thank you mail. It is good practise to do something about, and even to give price to motivate such researches and harden their security, but no one forces them to do so. I know not receiving answer is quite disappointing, but I don't think you have any other "right" option for reacting to that. Best regards, Nikola Milo=C5=A1evi=C4=87 On 23 July 2014 11:06, Micha=C5=82 Rybi=C5=84ski <fishmanos79 () gmail com> wr= ote:Hi all, I believe this is the best place to ask such question because I would imagine that most of people reading this list have something to do with discovering vulnerabilities and reporting them to parties responsible. On the beginning of the January I have discovered some security flaw which allows basically anyone to access all personal client's data (full name, full address, email address and a few more) of one of the most known Internet IT magazine. Although I have sent information about it to 3 different contact email addresses in the two months time span, the only thing I got in return was information that "We have received your email and have forwarded it to our main office to review and advise." received on 1st of April. Since then I haven't heard from them at all. The easiest action I can think of is to just make a full disclosure of the flaw and wait for the reaction but because this would allow almost anyone to access personal data of tenths if not hundreds thousands of subscribers (including me), I'd rather not do that... Could anyone of you propose what would be the best solution in this case or maybe generally this subject can be the start for the more general question - what should be done with the companies that doesn't react on such information sent? Many thanks MR ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Boa=rdProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org --------------------------------------------------------------------------001a11348abc51692c04ff062208 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div><div>Well I believe the right answer is nothing. If y= ou publicly disclose it, you are risking being sued. <br><br></div>It is et= hically to disclose it to them, as you did it. However, company is not liab= le of giving you price or even do anything about the vulnerability (I guess= until it is too late). They don't even need to write you thank you mai= l. It is good practise to do something about, and even to give price to mot= ivate such researches and harden their security, but no one forces them to = do so. <br> <br></div>I know not receiving answer is quite disappointing, but I don'= ;t think you have any other "right" option for reacting to that.<= br><div><div class=3D"gmail_extra"><br clear=3D"all"><div><div dir=3D"ltr">= <div> Best regards,<br></div><div><br>Nikola Milo=C5=A1evi=C4=87</div></div></div=<br><br><div class=3D"gmail_quote">On 23 July 2014 11:06, Micha=C5=82 Rybi= =C5=84ski <span dir=3D"ltr"><<a href=3D"mailto:fishmanos79 () gmail com" ta= rget=3D"_blank">fishmanos79 () gmail com</a>></span> wrote:<br><blockquote = class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid= ;padding-left:1ex"> Hi all,<br> <br> I believe this is the best place to ask such question because I would<br> imagine that most of people reading this list have something to do<br> with discovering vulnerabilities and reporting them to parties<br> responsible.<br> <br> On the beginning of the January I have discovered some security flaw<br> which allows basically anyone to access all personal client's data<br> (full name, full address, email address and a few more) of one of the<br> most known Internet IT magazine.<br> Although I have sent information about it to 3 different contact email<br> addresses in the two months time span, the only thing I got in return<br> was information that "We have received your email and have forwarded<b= r> it to our main office to review and advise." received on 1st of April.= <br> Since then I haven't heard from them at all.<br> <br> The easiest action I can think of is to just make a full disclosure of<br> the flaw and wait for the reaction but because this would allow almost<br> anyone to access personal data of tenths if not hundreds thousands of<br> subscribers (including me), I'd rather not do that...<br> <br> Could anyone of you propose what would be the best solution in this<br> case or maybe generally this subject can be the start for the more<br> general question - what should be done with the companies that doesn't<= br> react on such information sent?<br> <br> Many thanks<br> MR<br> <br> ------------------------------------------------------------------------<br=This list is sponsored by: Information Assurance Certification Review Board= <br> <br> Prove to peers and potential employers without a doubt that you can actuall= y do a proper penetration test. IACRB CPT and CEPT certs require a full pra= ctical examination in order to become certified.<br> <br> <a href=3D"http://www.iacertification.org" target=3D"_blank">http://www.iac= ertification.org</a><br> ------------------------------------------------------------------------<br=<br> </blockquote></div><br></div></div></div> --001a11348abc51692c04ff062208--
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: failure notice Nikola Milosevic (Jul 25)