Security Basics mailing list archives

Re: Consulting Question

From: me () privacy net
Date: 9 May 2007 15:16:39 -0000

Gurilla marketing will not win you any friends, either in the community or the profession.  If you come off with merely 
a whiff of "hire me or the info goes public", you will be black-balled in the security realm forever.  Just that you 
asked the question in the manner that you have indicates to me a profound lack of maturity and understanding of both 
the business world and the core ethics required of the security profession.

That said, give them every detail of the vulnerability (and you better have a good excuse as to why you have this 
information to begin with).  Offer to help them.  If they refuse, just be happy they don't have you arrested.  

Better yet, destroy all the information you have and pretend you didn't do vulnerability testing without the client's 
permission.

To illustrate why this was stupid:  Imagine that the organization experiences a breach.  They check logs and other 
forensic evidence.  Your activity is all over it.  You go to jail and now have to prove you are merely stupid and not 
criminal.  Understand now?

Current thread:

Consulting Question sammons (May 08)
- 3 questions on MSN, Security Logs and Federal help Ismael Gonzalez (May 09)
- Re: Consulting Question Fabio Cerullo (May 09)
- Re: Consulting Question Adam Pal-Moldovan (May 09)
  - Re: Consulting Question sammons (May 09)
- RE: Consulting Question Jones, David H (May 09)
  - RE: Consulting Question David Gillett (May 09)
- RE: Consulting Question Simmons, James (May 09)
- <Possible follow-ups>
- Re: Consulting Question me (May 09)
- RE: Consulting Question Al Saenz (May 09)
  - RE: Consulting Question Laundrup, Jens (May 09)
- RE: Consulting Question Craig Wright (May 09)
  - Re: Consulting Question Stephen Thornber (May 10)
- RE: Consulting Question Craig Wright (May 10)