Penetration Testing mailing list archives
RE: How to report a Vulnerability to a Company
From: "Password Crackers, Inc." <pwcrack () pwcrack com>
Date: Tue, 8 Jan 2008 14:46:16 -0500
Rain Forest Puppy put out something that I thought represented a good start at coming out with a industry standard for this type of thing. However, at the time, I added a comment that it did not provide for any attempt to negotiate monetary compensation for the work or research. Compensation is a sticky wicket because it can be interpretted as extortion. However, any policy that does not deal with the issue or assumes that all security research is to be provided free of charge I fear is incomplete. I would welcome some additions to an industry standard in that regard. I believe version two is not on his website here: http://www.wiretrip.net/rfp/policy.html The fact remains that an accepted industry standard for dealing with vulnerabilities should be welcomed by all involved. Bob Weiss Password Crackers, Inc. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Vikas Singhal Sent: Monday, January 07, 2008 7:25 AM To: pen-test () securityfocus com Subject: How to report a Vulnerability to a Company Hi all, Lets say I found a vulnerability in some company's website ( e.g SQL Injection ) and that vulnerability is crucial to the company. How do I ethically report it to the Company and have credit for that. Can I go and say "Hey! I found a vuln in your website with gives me the password back for any user" Or doing this kinda stuff is not ethical at all unless you make a SLA with the company before doing any your own pentest. Can somebody give me any pointer in this direction. Regards Vikas Singhal ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- How to report a Vulnerability to a Company Vikas Singhal (Jan 08)
- RE: How to report a Vulnerability to a Company benoni.martin (Jan 09)
- RE: How to report a Vulnerability to a Company Paul Melson (Jan 09)
- RE: How to report a Vulnerability to a Company Thor (Hammer of God) (Jan 09)
- RE: How to report a Vulnerability to a Company Barry Greene (bgreene) (Jan 09)
- Re: How to report a Vulnerability to a Company James Matthews (Jan 09)
- RE: How to report a Vulnerability to a Company Password Crackers, Inc. (Jan 09)
- <Possible follow-ups>
- Re: How to report a Vulnerability to a Company firesidepeavey (Jan 09)
- RE: How to report a Vulnerability to a Company Boaz Shunami (Jan 09)
- Re: How to report a Vulnerability to a Company Ed Telecommuter (Jan 10)
- Re: How to report a Vulnerability to a Company krymson (Jan 10)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)
- Message not available
- Fwd: How to report a Vulnerability to a Company Adam K (Jan 15)
- Re: How to report a Vulnerability to a Company Liran Cohen (Jan 14)