Penetration Testing mailing list archives
Re: Informing Companies about security vulnerabilities...
From: Dan Catalin Vasile <hardware_cta () yahoo com>
Date: Thu, 5 Oct 2006 12:10:40 -0700 (PDT)
You can try to set them an ultimatum pretending to disclose the holes to the public. Perhaps they are more willing to react if they are forced to do so.
Yeah, right... and then call all the lawayers that you know. This would be blackmail, so you are eligible for a grandious legal action against you. My several cents: if they don't answer after one e-mail just leave them. You have done more than enough. Have secure fun, Dan --- Andreas Putzo <putzoa () gmx de> wrote:
On Oct 04, Joseph McCray wrote:Usually when we do this we only find a few simplethings (XXS forexample) - no big deal right. With this particularwebsite we just keptfinding another, after another and on and on. Over600 instances of XXS,over 200 SQL Injection - this was bad. After awhile it started to getboring there was so many.... So I drafted a letter to the editor as well asseveral other prominentpeople at the newspaper. It detailed my findingand recommended somepossible mitigation strategies. After emailingthis I didn't hearanything for a few days, so I emailed it again andfollowed up with aphone call. After getting no response to thesecond email and thenhaving been bounced around from department todepartment when I called Ijust said forget it.You can try to set them an ultimatum pretending to disclose the holes to the public. Perhaps they are more willing to react if they are forced to do so. Depending on the information you can get through the website (customer data anywhere?) and the laws in your country (IANAL, btw.) you may go to the intrigued publicity, indeed. They gotta have to do something if someone defaced their website actually. -- regards, Andreas Putzo
------------------------------------------------------------------------
This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- RE: Informing Companies about security vulnerabilities..., (continued)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 04)
- Re: Informing Companies about security vulnerabilities... Jex (Oct 04)
- Re: Informing Companies about security vulnerabilities... Wolf Halton (Oct 04)
- Re: Informing Companies about security vulnerabilities... Micro Kluge (Oct 06)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 04)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 05)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 05)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 05)
- Re: Informing Companies about security vulnerabilities... s-williams (Oct 05)
- Re: Informing Companies about security vulnerabilities... Dan Catalin Vasile (Oct 05)
- RE: Informing Companies about security vulnerabilities... bugtraq (Oct 04)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... gat0r (Oct 06)
- Re: Informing Companies about security vulnerabilities... Dragos Ruiu (Oct 05)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... jay.tomas (Oct 04)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)
- Re: Informing Companies about security vulnerabilities... Stefano Zanero (Oct 05)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)
- RE: Informing Companies about security vulnerabilities... Krpata, Tyler (Oct 04)
- Re: Informing Companies about security vulnerabilities... bugtraq (Oct 04)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 04)