Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Ethics Scenario

From: Erik Tayler <erik () digitaloffense net>
Date: Mon, 2 Oct 2000 16:03:49 -0500
In my opinion, this would fall into the chasing ambulances category. If you
find a vulnerability in someone's systems, and you were not asked to do so,
it should be your obligation to either ignore it, or tell them about it. If
you were to say "this is a problem, and we can fix it, for a price", that
would be unethical, and it would undoubtedly be unwelcome. However, in some
instances, it might be appropriate to offer help [for cost or not].

Erik Tayler
14x Network Security
http://www.14x.net
http://www.digitaloffense.net

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Christopher M. Bergeron
Sent: Monday, October 02, 2000 12:44 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Ethics Scenario


Here's a scenario that I'd like to get peoples' input on:

A) Our company does pen-tests, security auditing etc...
B) Our team finds a vulnerability/hole on a website just by poking around /
using the site.

The question is this:
Do we tell the website company who we are and that we have discovered a
vulnerability and then offer to provide them assistance with the
vulnerability (for pay of course).  i.e. offering them a full pen-test or an
IDS or something...?


Or does this tend to fall into the "chasing ambulances" type of business
marketing strategy?
Previous By Date Next
Previous By Thread Next

Current thread: