Re: how to alert company of security hole

[scheyne () att net]

You know, this is something that may of a sensitive nature, but I see it as an "OPPORTUNITY!"

I have been in the same situation and so I called the CSO or CISO of the company and talk to them only and then keep 
your mouth tightly sealed.   This presents the opportunity to "network" for a future job and at the same time, it is a 
professional thing to do.  Documentation sent to them is very important, and may even require a non-disclosure 
agreement, but it is the right thing to do.   If it is an American company and possibly on the SEC board, you are once 
again doing the right thing.  I am a SME on SARBANES-OXLEY and it is a necessity, and if they choose not to do anything 
about it, they are fined and could face imprisonment if it devulges customer information.

Sam Cheyne

> Hi All,
> Not sure if this question belongs here or not, but ...
> I am curious about an approach one would take in alerting a company that 
> their web site/e-shop has multiple vulnerabilities.  In other words should 
> the individual who discovered the holes contact the parties involved 
> directly or anonymously in fear of law suit?
> Also, would one be swimming in murky waters if they were looking at some 
> reward for the discovery ...
>
>    Cheers,
>       Serg
>       sbonlinux[AT]hotmail.com
>       Your friendly neighborhood geek.
>
> _________________________________________________________________
> We've 100s of NEW questions! Play Millionaire online to win $$$$. Click here 
>   http://sites.ninemsn.com.au/minisite/millionaire/default.asp
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------