Security Basics mailing list archives
Re: Consulting Question
From: "Fabio Cerullo" <fcerullo () gmail com>
Date: Wed, 9 May 2007 10:58:44 +0100
Hi Chris, Please correct me if i am wrong but regarding your first question, you shouldn;t be doing that kind of approach with potential customers, as doing some kind of "random" penetration testing in order to find vulnerabilities is illegal and unethical. Answering your second question a good way of contributing to the security industry could be to post your key findings and ways to solve the problem in security lists like this one. Obviously avoiding to put any company names which could damage their reputation. Hope this helps. Fabio On 5/8/07, sammons () cs utk edu <sammons () cs utk edu> wrote:
Hello All, I would like to get my feet wet doing some general security consultation work (network audits, penetration testing, etc.). My questions concerns a proper approach to potential clients. Consider this situation, I have found a few vulnerabilities in the company's web application product that could lead to potential identity theft and system compromise. This being a relatively large company, how would one go about informing the company about this vulnerability without them leaving you 100% out of the equation? In the case that the company is not interested in further third-party assistance I have a second question (concerning credit for finding such vulnerability). What is the proper/ethical protocol for publishing a software vulnerability? Are there any other methods that would insure credit while protecting the company from mass exploitation? I thank you in advanced for your input. Best Regards, Chris
Current thread:
- Consulting Question sammons (May 08)
- 3 questions on MSN, Security Logs and Federal help Ismael Gonzalez (May 09)
- Re: Consulting Question Fabio Cerullo (May 09)
- Re: Consulting Question Adam Pal-Moldovan (May 09)
- Re: Consulting Question sammons (May 09)
- RE: Consulting Question Jones, David H (May 09)
- RE: Consulting Question David Gillett (May 09)
- RE: Consulting Question Simmons, James (May 09)
- <Possible follow-ups>
- Re: Consulting Question me (May 09)
- RE: Consulting Question Al Saenz (May 09)
- RE: Consulting Question Laundrup, Jens (May 09)
- RE: Consulting Question Craig Wright (May 09)
- Re: Consulting Question Stephen Thornber (May 10)
(Thread continues...)