Re: Client aproach

[Miguel Lopes <theoverblue () gmail com>]

It was my first thought letting them know in anon e-mail but getting some extra cash would be great too.
I guess i will stick with sending the e-mail alerting them of the situation.

thanks

A 2011/12/01, às 16:55, Thor (Hammer of God) escreveu:

> You are in a tough spot.   In general, the level of access you granted yourself in an unauthorized testing of the 
> site would be considered illegal.  You may recall the whole 'or 1=1 thing.   So your approach to the client is all he 
> would need to contact authorities if he so chose.  
>
> Arguably, the best thing to do here would be to contact the owner and just give them the information for free, and do 
> so in a way that does not implicate you in any wrongdoing.  Or simply drop it.  Moving forward, you might want to 
> consider changing your business model so that you are hired to perform web app assessments before you start breaking 
> laws.  
>
> t
>
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
> Miguel Lopes
> Sent: Wednesday, November 30, 2011 2:56 AM
> To: full-disclosure () lists grok org uk
> Subject: [Full-disclosure] Client aproach
>
> Hi List,
>
> I found some major design flaws and vulnerabilities on a local webstore, but now i would like to tell the owner 
> nicely and maybe profit from it?!
> Does anyone have some tips on how to inform a potential client of their vulnerabilities?
>
> Thanks in advance,
> Miguel Lopes
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/