Re: [PEN-TEST] Ethics Scenario

["Tonick, Mike" <Mike.Tonick () PS NET>]

Christopher,

I don't think it's wrong - I know it's wrong.

First of all, I would question the practice of "poking around" on someone's web site where you don't have legal 
liability waivers in place to protect you and the assets of your company.

If you found the problem innocently, then offer to fix it for free.  That would be much more honorable, in my opinion, 
than saying I'll fix it - if you pay me.  I believe that approach borders on extortion and/or blackmail.

Michael D. Tonick, CISSP
Senior Security Consultant
Perot Systems
Dallas, Texas

-----Original Message-----
From: Christopher M. Bergeron [mailto:ChrisB () HGSS COM]
Sent: Monday, October 02, 2000 12:44 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Ethics Scenario


Here's a scenario that I'd like to get peoples' input on:

A) Our company does pen-tests, security auditing etc...
B) Our team finds a vulnerability/hole on a website just by poking around / using the site.

The question is this:
Do we tell the website company who we are and that we have discovered a vulnerability and then offer to provide them 
assistance with the vulnerability (for pay of course).  i.e. offering them a full pen-test or an IDS or something...?


Or does this tend to fall into the "chasing ambulances" type of business marketing strategy?