Re: Consulting Question

[sammons () cs utk edu]

I appreciate all the responses so far. They are very helpful. I just
wanted to clarify a particular point in my scenario. The system
(application) is one that I have been given access to and the flaw was
found via a general error from the application. No testing was done. The
flaw, obviously caused by lax coding practices, could be easily spotted by
anyone knowledgeable of such issues. My question then is this, to avoid
such a misunderstanding (by non-technical management) would it be better
to simply point the flaw out and offer methods of remediation without an
additional offer of service?

Thanks,

Chris

> Hi Chris
>
> First of all, congrats for the gap you`ve found.
> Considering a story from one of Mitnick`s books, the worst case scenario
> would be an accusation that you want to exploit the company.
> I think your "dilema" is pretty classical for the "good hackers" but think
> at the companies, there is not only the IT-department where the guys try
> to fix their software, there is also the management and pr-department, so
> they wouldn`t eventualy understand what you do and falsely accuse you,
> because that is good for the immage of the company.
> On the other hand, maybe they will understand you, make you an offert to
> shut up, and not to tell anyone about it.
>
> Usualy companies trust 3rd party consultants more than someone from
> outside, because such consultants are damn expensive, so they must be damn
> good (management mentality).
>
> Considering some draft about how to publish a vulnerability, if you sum up
> my previous statements and can anonymize that so far to get out of any
> risk, i think you can check
> http://www.kb.cert.org/vuls/html/fieldhelp
> Thats what i`ve found about how some draft should/could look like.
>
>
> Best regards
>
>
> Adam
>
> -------- Original-Nachricht --------
> Datum: Tue, 8 May 2007 17:31:43 -0400 (EDT)
> Von: sammons () cs utk edu
> An: security-basics () securityfocus com
> Betreff: Consulting Question
>
> > Hello All,
> >
> >   I would like to get my feet wet doing some general security
> > consultation
> > work (network audits, penetration testing, etc.). My questions concerns
> > a proper approach to potential clients. Consider this situation, I have
> > found a few vulnerabilities in the company's web application product
> > that could lead to potential identity theft and system compromise. This
> > being a relatively large company, how would one go about informing the
> > company about this vulnerability without them leaving you 100% out of
> > the equation?
> >
> >   In the case that the company is not interested in further third-party
> > assistance I have a second question (concerning credit for finding such
> > vulnerability). What is the proper/ethical protocol for publishing a
> > software vulnerability? Are there any other methods that would insure
> > credit while protecting the company from mass exploitation? I thank you
> > in advanced for your input.
> >
> > Best Regards,
> >
> > Chris
>
> --
> "Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
> Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail