Security Basics mailing list archives
Re: Disclosure
From: Eitan Adler <eitanadlerlist () gmail com>
Date: Wed, 11 Feb 2009 18:42:48 -0500
Dennis Kudin wrote:
Hi, As a first step, just send them a notification with description of the vulnerability and let them have some time to fix it. Try to get their response to make sure they received your message and understood it correctly. This is a normal practice. Why do you think they'll pursue you if you clearly show your good intentions and readiness to cooperate?
MBTA comes to mind. I'm sure there are others.
-- Best regards, Dennis http://kudin.net -----Original Message----- From: Saphex <saphex () gmail com> Sent: Wednesday, February 11, 2009, 21:58:08 To: security-basics () securityfocus com, , Subject: Disclosure Hi, I have been wondering, how to disclosure vulnerabilities. If some corporate web site has a vulnerability, witch is the best approach to reveal that vulnerability to them? Without getting a lawsuit or something? Is there some law compliant way of doing it? Lets assume they didn't ask for the security *testing*. Best regards, saphex
-- Eitan Adler "Security is increased by designing for the way humans actually behave." -Jakob Nielsen
Current thread:
- Disclosure Saphex (Feb 11)
- Re: Disclosure Adriel T. Desautels (Feb 11)
- Re: Disclosure Dennis Kudin (Feb 11)
- Re: Disclosure Saphex (Feb 11)
- Re: Disclosure Eitan Adler (Feb 12)
- RE: Disclosure Craig S Wright (Feb 12)