Re: [PEN-TEST] Ethics Scenario

[Steve <Steve () SECURESOLUTIONS ORG>]

> B) Our team finds a vulnerability/hole on a website just by poking
> around / using the site.

Poking around maybe but most of the time you will not just run into a hole
by using the web site for what it is intended.


> The question is this:
> Do we tell the website company who we are and that we have discovered a

I would inform them definately.  No need to provide detailed fix information
but at least inform them of how you "fell" into the hole/vuln.

> vulnerability and then offer to provide them assistance with the
> vulnerability (for pay of course).  i.e. offering them a full pen-test
> or an IDS or something...?

I wouldn't.  But I would attach my company and contact info on the email.
Leave it up to the company to come to you otherwise you never know what they
might try accusing you of.

> Or does this tend to fall into the "chasing ambulances" type of business
> marketing strategy?

I think it does.  Its like alarm companies breaking into houses and leaving
their business card behind.

In fact, I have recently heard rumors (rumors, so don't ask me to publicly
name the company) of a company using their own staff to hack, crack, and
deface sites then have their sales drones do a cold call on the company a
few days later.

In my opinion, this is very unethical and to be honest, if I ever find some
real proof that this certain company is actually doing this, I will report
it publicly, lawsuit or not.