Penetration Testing mailing list archives
RE: How to report a Vulnerability to a Company
From: "Boaz Shunami" <BoazS () comsecglobal com>
Date: Wed, 9 Jan 2008 17:10:09 +0200
Hi Vikas, Generally speaking it depends on the nature of the company and their policy. Doing this stuff can be charged against you (Because the company did not allow you to attack its website, no matter what you have discovered). You need to have an agreement or a contract with the company. Best Regards, Boaz Shunami Comsec Consulting -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Vikas Singhal Sent: Monday, January 07, 2008 2:25 PM To: pen-test () securityfocus com Subject: How to report a Vulnerability to a Company Hi all, Lets say I found a vulnerability in some company's website ( e.g SQL Injection ) and that vulnerability is crucial to the company. How do I ethically report it to the Company and have credit for that. Can I go and say "Hey! I found a vuln in your website with gives me the password back for any user" Or doing this kinda stuff is not ethical at all unless you make a SLA with the company before doing any your own pentest. Can somebody give me any pointer in this direction. Regards Vikas Singhal ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ********************************************************************************************** IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error, please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies thereof. *** eSafe scanned this email for viruses, vandals, and malicious content. *** ********************************************************************************************** ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- How to report a Vulnerability to a Company Vikas Singhal (Jan 08)
- RE: How to report a Vulnerability to a Company benoni.martin (Jan 09)
- RE: How to report a Vulnerability to a Company Paul Melson (Jan 09)
- RE: How to report a Vulnerability to a Company Thor (Hammer of God) (Jan 09)
- RE: How to report a Vulnerability to a Company Barry Greene (bgreene) (Jan 09)
- Re: How to report a Vulnerability to a Company James Matthews (Jan 09)
- RE: How to report a Vulnerability to a Company Password Crackers, Inc. (Jan 09)
- <Possible follow-ups>
- Re: How to report a Vulnerability to a Company firesidepeavey (Jan 09)
- RE: How to report a Vulnerability to a Company Boaz Shunami (Jan 09)
- Re: How to report a Vulnerability to a Company Ed Telecommuter (Jan 10)
- Re: How to report a Vulnerability to a Company krymson (Jan 10)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)
- Message not available
- Fwd: How to report a Vulnerability to a Company Adam K (Jan 15)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)