Full Disclosure mailing list archives
Re: Deutsche Post Security Cup 2013
From: Daniel Preussker <daniel () preussker net>
Date: Wed, 20 Mar 2013 18:56:58 +0100
On 20.03.2013, at 14:59, Benji wrote:
I think its getting ridiculous, if you don't have a name in the industry you're getting sued for the vast majority of bugs you solve... And on the other hand, those same companies give away 3-15.000 for a single bug if the researcher happens to be known :|Examples please
Well for instance we got all those folks that got into trouble with jail-breaking all kinds of devices, I know this is not a bug per se but it still has a bad flavor to know that one aint allowed to do nothing with "his" hardware... Then we got those governmental pages, who don't really care that people like us make their applications more secure... mostly even for free... Here I remember the MTISC thing... MTISC was/is a client-page for ManTech (one of the Top weapon-systems engineer and deliverer for mostly any U.S.-Military). Somebody found out that "'OR 1=1" as username and password grants administrator level access on the site, making you able to get any invoice and delivery receipt (like Iraqi bases from the U.S.-military).. Well, I assume he had quite fun too... Also PayPal, now they do bug-bounty, some time ago they were fairly pro-active with their lawyers if I remember right... I've even had a threatening from a bavarian university because I informed them that having a root directory worldwide readable via apache2 fancyindexing aint so intelligent... There are ofc a lot more examples, one individual I used to talk to was close to jail due to an SQL-Injectection disclosure... I admit, I might have over exaggerated the situation a bit in rage. Kind regards, Daniel Preussker [ Security Consultant, Network & Protocol Security and Cryptography [ LPI & Novell Certified Linux Engineer and Researcher [ +49 178 600 96 30 [ Daniel () Preussker Net [ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1
Attachment:
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Deutsche Post Security Cup 2013 Juergen.Pabel (Mar 20)
- Re: Deutsche Post Security Cup 2013 Harry Behrens (Mar 20)
- Re: Deutsche Post Security Cup 2013 Hurgel Bumpf (Mar 20)
- Re: Deutsche Post Security Cup 2013 Daniel Preussker (Mar 20)
- Re: Deutsche Post Security Cup 2013 Benji (Mar 20)
- Re: Deutsche Post Security Cup 2013 Daniel Preussker (Mar 20)
- Re: Deutsche Post Security Cup 2013 Daniel Preussker (Mar 20)
- Re: Deutsche Post Security Cup 2013 Juergen.Pabel (Mar 20)
- Re: Deutsche Post Security Cup 2013 Alex (Mar 21)
- Re: Deutsche Post Security Cup 2013 Hurgel Bumpf (Mar 21)