Penetration Testing mailing list archives
RE: How to report a Vulnerability to a Company
From: <benoni.martin () accenture com>
Date: Wed, 9 Jan 2008 17:12:47 +0100
Hi ! My personal experience was: I found one day a vulnerability on a commercial site (I could download any file from their web server, including the configs files containing all the logins/passwords/IP/... of their database servers ...). So I sent a nice email to the webmaster/admin reporting that. I was never prosecuted ... but the admin never patch his web server neither ... BTW, you should also add to your report that it's not a very good idea to store clear-text passwords in a database as they seem to do ... Storing the hashes instead would be really better :) Regards. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Vikas Singhal Sent: lundi 7 janvier 2008 13:25 To: pen-test () securityfocus com Subject: How to report a Vulnerability to a Company Hi all, Lets say I found a vulnerability in some company's website ( e.g SQL Injection ) and that vulnerability is crucial to the company. How do I ethically report it to the Company and have credit for that. Can I go and say "Hey! I found a vuln in your website with gives me the password back for any user" Or doing this kinda stuff is not ethical at all unless you make a SLA with the company before doing any your own pentest. Can somebody give me any pointer in this direction. Regards Vikas Singhal ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- How to report a Vulnerability to a Company Vikas Singhal (Jan 08)
- RE: How to report a Vulnerability to a Company benoni.martin (Jan 09)
- RE: How to report a Vulnerability to a Company Paul Melson (Jan 09)
- RE: How to report a Vulnerability to a Company Thor (Hammer of God) (Jan 09)
- RE: How to report a Vulnerability to a Company Barry Greene (bgreene) (Jan 09)
- Re: How to report a Vulnerability to a Company James Matthews (Jan 09)
- RE: How to report a Vulnerability to a Company Password Crackers, Inc. (Jan 09)
- <Possible follow-ups>
- Re: How to report a Vulnerability to a Company firesidepeavey (Jan 09)
- RE: How to report a Vulnerability to a Company Boaz Shunami (Jan 09)
- Re: How to report a Vulnerability to a Company Ed Telecommuter (Jan 10)
- Re: How to report a Vulnerability to a Company krymson (Jan 10)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)
(Thread continues...)