Security Basics mailing list archives

RE: Consulting Question

From: "Simmons, James" <jsimmons () eds com>
Date: Wed, 9 May 2007 13:54:42 -0500

I wont mention about how what you said was wrong since others have
already commented. But for your disclosure I would suggest 3com's Zero
Day Initiative, if in fact what you found was a zero day.
http://www.zerodayinitiative.com/ 
If you found an existing exploit with their site, then I would be very
careful in how you approach this. It really depends on how you found it
(i.e.. some google hacking). Or were you illegally scanning this
companies systems? If it was a google hack, then an argument can be made
that it is public knowledge and thus you COULD be shielded from legal
action. (Of course this is theoretical, as the company can sue you just
because ... See MPAA and RIAA lawsuits for references.) 
Personally, I really wouldn't mention it to the company (unless you are
proof positive of your legal standing), and just solicit them for your
services like a professional.


Regards,

Simmons

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of sammons () cs utk edu
Sent: Tuesday, May 08, 2007 2:32 PM
To: security-basics () securityfocus com
Subject: Consulting Question

Hello All,

  I would like to get my feet wet doing some general security
consultation work (network audits, penetration testing, etc.). My
questions concerns a proper approach to potential clients. Consider this
situation, I have found a few vulnerabilities in the company's web
application product that could lead to potential identity theft and
system compromise. This being a relatively large company, how would one
go about informing the company about this vulnerability without them
leaving you 100% out of the equation?

  In the case that the company is not interested in further third-party
assistance I have a second question (concerning credit for finding such
vulnerability). What is the proper/ethical protocol for publishing a
software vulnerability? Are there any other methods that would insure
credit while protecting the company from mass exploitation? I thank you
in advanced for your input.

Best Regards,

Chris

Current thread:

Consulting Question sammons (May 08)
- 3 questions on MSN, Security Logs and Federal help Ismael Gonzalez (May 09)
- Re: Consulting Question Fabio Cerullo (May 09)
- Re: Consulting Question Adam Pal-Moldovan (May 09)
  - Re: Consulting Question sammons (May 09)
- RE: Consulting Question Jones, David H (May 09)
  - RE: Consulting Question David Gillett (May 09)
- RE: Consulting Question Simmons, James (May 09)
- <Possible follow-ups>
- Re: Consulting Question me (May 09)
- RE: Consulting Question Al Saenz (May 09)
  - RE: Consulting Question Laundrup, Jens (May 09)
- RE: Consulting Question Craig Wright (May 09)
  - Re: Consulting Question Stephen Thornber (May 10)
- RE: Consulting Question Craig Wright (May 10)