Re: [PEN-TEST] Ethics Scenario

[Erik Tayler <erik () digitaloffense net>]

True, but it should be noted that in the eyes of most, it would look like
you are just scanning the 'net for vulnerabilities in search of money. If
someone came to me wanting to fix my systems because they have found
something wrong, I would immediately assume the following:

1 - Maybe they are lying, and trying to assume that I know little about
security.
2 - They are contacting many others besides me, for the never-ending search
of money.

Obviously this isn't always the case, there are some out there that really
do care about the security of the community, however some are completely
money driven.

Erik Tayler
http://www.14x.net
http://www.digitaloffense.net

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of SM
Sent: Monday, October 02, 2000 3:40 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: Ethics Scenario


    Why not?  It seems that since you are not causing the security flaw, and
just noticed it, that it would be perfectly appropriate to let them know who
you are and what you do, as well as offer your services.
    I don't think this is chasing the ambulance type scenario, that would
imply that you show up after "something" has happened to offer your
services, which also seems appropriate.  However, this is more trying to
prevent the ambulance from even showing up in the first place.
    Now, if you notice a security problem, then exploit it, and then
contacting them for a "solution" that would seem unethical, as well as
possibly illegal.
    Just my thoughts...

    SM