Security Basics mailing list archives

Consulting Question

From: sammons () cs utk edu
Date: Tue, 8 May 2007 17:31:43 -0400 (EDT)

Hello All,

  I would like to get my feet wet doing some general security consultation
work (network audits, penetration testing, etc.). My questions concerns
a proper approach to potential clients. Consider this situation, I have
found a few vulnerabilities in the company's web application product
that could lead to potential identity theft and system compromise. This
being a relatively large company, how would one go about informing the
company about this vulnerability without them leaving you 100% out of
the equation?

  In the case that the company is not interested in further third-party
assistance I have a second question (concerning credit for finding such
vulnerability). What is the proper/ethical protocol for publishing a
software vulnerability? Are there any other methods that would insure
credit while protecting the company from mass exploitation? I thank you
in advanced for your input.

Best Regards,

Chris

Current thread:

Consulting Question sammons (May 08)
- 3 questions on MSN, Security Logs and Federal help Ismael Gonzalez (May 09)
- Re: Consulting Question Fabio Cerullo (May 09)
- Re: Consulting Question Adam Pal-Moldovan (May 09)
  - Re: Consulting Question sammons (May 09)
- RE: Consulting Question Jones, David H (May 09)
  - RE: Consulting Question David Gillett (May 09)
- RE: Consulting Question Simmons, James (May 09)
- <Possible follow-ups>
- Re: Consulting Question me (May 09)
- RE: Consulting Question Al Saenz (May 09)
  - RE: Consulting Question Laundrup, Jens (May 09)

(Thread continues...)