Security Basics mailing list archives

Re: Consulting Question

From: "Adam Pal-Moldovan" <pal_adam () gmx net>
Date: Wed, 09 May 2007 11:55:28 +0200

Hi Chris

First of all, congrats for the gap you`ve found.
Considering a story from one of Mitnick`s books, the worst case scenario would be an accusation that you want to 
exploit the company.
I think your "dilema" is pretty classical for the "good hackers" but think at the companies, there is not only the 
IT-department where the guys try to fix their software, there is also the management and pr-department, so they 
wouldn`t eventualy understand what you do and falsely accuse you, because that is good for the immage of the company. 
On the other hand, maybe they will understand you, make you an offert to shut up, and not to tell anyone about it.

Usualy companies trust 3rd party consultants more than someone from outside, because such consultants are damn 
expensive, so they must be damn good (management mentality).

Considering some draft about how to publish a vulnerability, if you sum up my previous statements and can anonymize 
that so far to get out of any risk, i think you can check 
http://www.kb.cert.org/vuls/html/fieldhelp
Thats what i`ve found about how some draft should/could look like.


Best regards


Adam

-------- Original-Nachricht --------
Datum: Tue, 8 May 2007 17:31:43 -0400 (EDT)
Von: sammons () cs utk edu
An: security-basics () securityfocus com
Betreff: Consulting Question

Hello All,

  I would like to get my feet wet doing some general security consultation
work (network audits, penetration testing, etc.). My questions concerns
a proper approach to potential clients. Consider this situation, I have
found a few vulnerabilities in the company's web application product
that could lead to potential identity theft and system compromise. This
being a relatively large company, how would one go about informing the
company about this vulnerability without them leaving you 100% out of
the equation?

  In the case that the company is not interested in further third-party
assistance I have a second question (concerning credit for finding such
vulnerability). What is the proper/ethical protocol for publishing a
software vulnerability? Are there any other methods that would insure
credit while protecting the company from mass exploitation? I thank you
in advanced for your input.

Best Regards,

Chris


-- 
"Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail

Current thread:

Consulting Question sammons (May 08)
- 3 questions on MSN, Security Logs and Federal help Ismael Gonzalez (May 09)
- Re: Consulting Question Fabio Cerullo (May 09)
- Re: Consulting Question Adam Pal-Moldovan (May 09)
  - Re: Consulting Question sammons (May 09)
- RE: Consulting Question Jones, David H (May 09)
  - RE: Consulting Question David Gillett (May 09)
- RE: Consulting Question Simmons, James (May 09)
- <Possible follow-ups>
- Re: Consulting Question me (May 09)
- RE: Consulting Question Al Saenz (May 09)
  - RE: Consulting Question Laundrup, Jens (May 09)
- RE: Consulting Question Craig Wright (May 09)
  - Re: Consulting Question Stephen Thornber (May 10)
- RE: Consulting Question Craig Wright (May 10)