Re: Client aproach

[Miguel Lopes <theoverblue () gmail com>]

Thanks for the advice, the money was a long shot i will stick with the anonymous e-mail, giving the information and 
tips to fix it.

A 2011/12/01, às 18:08, Chris L escreveu:

> Depending on your country/local laws (no idea where you're from), how you discovered the vulnerabilities and if you 
> actually tested them and gained unauthorized access in the process then there is the possibility you're on the wrong 
> side of the law. If you haplessly stumbled across it and then left it be but just know its there, you're probably 
> safe. If you found something that seemed odd, and actively tried to test it or to verify that it was an issue without 
> prior permission, you're almost certainly in violation of some law. Even if it was very minor verification. As well a 
> lot of whether or not the owner decides to get police involved and try to come after you is simply going to depend on 
> their technological knowledge, how they perceive the information you tell them and simply whether or not they decide 
> they like or not so its a real crap shoot.
>
> I'd say your chances of getting money are slim/nil and that it would be a bad idea to even attempt. Even if its not 
> your intention, and even if you make it explicitly clear that you won't use the info or disseminate the info even if 
> he decides not to pay you to fix it, it could still be perceived as an extortion attempt. As others have said, the 
> best bet is to send an anonymous email, give him all the details and hope he takes proper action to fix it. 
>
> If you really feel the need to let them know who you are, (or you did this from a location where they're going to 
> track it back to you if they check the logs once you alert them of the problem anyway), I'd still say the best thing 
> to do is to simply give them all the information and some small advice about how it may be fixed for free. There 
> simply isn't any good way though to get actual money out of this though without it seeming like a shakedown/extortion 
> or the owner simply getting cops involved because they don't even want to bother spending any money on the issues and 
> would rather just label you some "elite evil hacker" and pretend their is nothing they can do rather than spend the 
> money. 
>
> However, if you're hellbent on it, the only relatively safe way I see to get anything of value out of this would be 
> to turn over all information and advice on fixing the problem and make it clear you just want to alert them to the 
> problem. A lot of people aren't exactly technical and won't understand what you're saying so you can offer to fix it, 
> I can't stress this enough, for FREE. Then if by the end of fixing it they appreciate your work and think you've done 
> well you could always ask if you can use them as a reference, which might help get actual paying work down the road. 
> This is best done at the END and only if you feel that you've developed some trust and they appreciate the help you 
> gave them. 
>
> All that said though, safest way, as said, is simply an anonymous e-mail and it is the best option. If you are going 
> to stick your neck out there, at least realize you're not likely to see any real money from it and there is the risk 
> you get it chopped off.
>
>
> On Thu, Dec 1, 2011 at 9:04 AM, Peter Dawson <slash.pd () gmail com> wrote:
>
> Send site owner/admin anon email and leave it at that.. as Thor mentioned give em the info for free!  
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/