Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Disclosure

From: Eitan Adler <eitanadlerlist () gmail com>
Date: Wed, 11 Feb 2009 18:42:48 -0500
Dennis Kudin wrote:

Hi,

As a first step, just send them a notification with description of the
vulnerability and let them have some time to fix it. Try to get their
response to make sure they received your message and understood it
correctly. This is a normal practice. Why do you think they'll pursue
you if you clearly show your good intentions and readiness to
cooperate?

MBTA comes to mind.  I'm sure there are others.


--
Best regards,
Dennis
http://kudin.net

-----Original Message-----
From: Saphex <saphex () gmail com>
Sent: Wednesday, February 11, 2009, 21:58:08
To: security-basics () securityfocus com, , 
Subject: Disclosure
Hi,

I have been wondering, how to disclosure vulnerabilities. If some
corporate web site has a vulnerability, witch is the best approach to
reveal that vulnerability to them? Without getting a lawsuit or
something?
Is there some law compliant way of doing it? Lets assume they didn't ask
for the security *testing*.

Best regards,
saphex






-- 
Eitan Adler
"Security is increased by designing for the way humans actually behave."
-Jakob Nielsen
Previous By Date Next
Previous By Thread Next

Current thread: