Security Basics mailing list archives
RE: Consulting Question
From: "Laundrup, Jens" <Jens.Laundrup () METROKC GOV>
Date: Wed, 9 May 2007 15:46:57 -0700
Common courtesy is to contact the company that wrote the software package and give them an opportunity to fix it before you announce it to the world. Let them know that you are doing just so and to please credit you with the discovery. As far as your management, I would write it up in an e-mail to the IT manager and the security manager (and cc you supervisor) with the offer to help fix the problem. This way there is no denying that you discovered it and you acted in the best interest of the company. They may worry about the vulnerability broadcast on e-mail but you need to CYA in case they have any thoughts of "blamescaping". If you can encrypt it, even better. But what ever you do, keep a copy. Good job on finding it and great job of trying to do the right thing! Jens -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Al Saenz Sent: Wednesday, May 09, 2007 11:54 AM To: sammons () cs utk edu Cc: security-basics () securityfocus com Subject: RE: Consulting Question Hi Chris, So it was kind of found by you doing your normal job on the system, more like discovered accidentally. Explain to them how you found it so that they don't think you are "looking" for things to gain more business. I say point it out and let them know that you could fix it for them. If they say no we will fix it ourselves, well they will be very happy and "remember" that you pointed it out and perhaps you will get more business in the future from them. Al -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of sammons () cs utk edu Sent: Wednesday, May 09, 2007 11:36 AM To: Adam Pal-Moldovan Cc: security-basics () securityfocus com Subject: Re: Consulting Question I appreciate all the responses so far. They are very helpful. I just wanted to clarify a particular point in my scenario. The system (application) is one that I have been given access to and the flaw was found via a general error from the application. No testing was done. The flaw, obviously caused by lax coding practices, could be easily spotted by anyone knowledgeable of such issues. My question then is this, to avoid such a misunderstanding (by non-technical management) would it be better to simply point the flaw out and offer methods of remediation without an additional offer of service? Thanks, Chris
Hi Chris First of all, congrats for the gap you`ve found. Considering a story from one of Mitnick`s books, the worst case
scenario
would be an accusation that you want to exploit the company. I think your "dilema" is pretty classical for the "good hackers" but
think
at the companies, there is not only the IT-department where the guys
try
to fix their software, there is also the management and pr-department,
so
they wouldn`t eventualy understand what you do and falsely accuse you, because that is good for the immage of the company. On the other hand, maybe they will understand you, make you an offert
to
shut up, and not to tell anyone about it. Usualy companies trust 3rd party consultants more than someone from outside, because such consultants are damn expensive, so they must be
damn
good (management mentality). Considering some draft about how to publish a vulnerability, if you
sum up
my previous statements and can anonymize that so far to get out of any risk, i think you can check http://www.kb.cert.org/vuls/html/fieldhelp Thats what i`ve found about how some draft should/could look like. Best regards Adam -------- Original-Nachricht -------- Datum: Tue, 8 May 2007 17:31:43 -0400 (EDT) Von: sammons () cs utk edu An: security-basics () securityfocus com Betreff: Consulting QuestionHello All, I would like to get my feet wet doing some general security consultation work (network audits, penetration testing, etc.). My questions
concerns
a proper approach to potential clients. Consider this situation, I
have
found a few vulnerabilities in the company's web application product that could lead to potential identity theft and system compromise.
This
being a relatively large company, how would one go about informing
the
company about this vulnerability without them leaving you 100% out of the equation? In the case that the company is not interested in further
third-party
assistance I have a second question (concerning credit for finding
such
vulnerability). What is the proper/ethical protocol for publishing a software vulnerability? Are there any other methods that would insure credit while protecting the company from mass exploitation? I thank
you
in advanced for your input. Best Regards, Chris-- "Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail
Current thread:
- Consulting Question sammons (May 08)
- 3 questions on MSN, Security Logs and Federal help Ismael Gonzalez (May 09)
- Re: Consulting Question Fabio Cerullo (May 09)
- Re: Consulting Question Adam Pal-Moldovan (May 09)
- Re: Consulting Question sammons (May 09)
- RE: Consulting Question Jones, David H (May 09)
- RE: Consulting Question David Gillett (May 09)
- RE: Consulting Question Simmons, James (May 09)
- <Possible follow-ups>
- Re: Consulting Question me (May 09)
- RE: Consulting Question Al Saenz (May 09)
- RE: Consulting Question Laundrup, Jens (May 09)
- RE: Consulting Question Craig Wright (May 09)
- Re: Consulting Question Stephen Thornber (May 10)
- RE: Consulting Question Craig Wright (May 10)