Penetration Testing mailing list archives
Re: Things to do before vulnerability disclosure
From: Justin Ferguson <jnferguson () gmail com>
Date: Tue, 16 Jun 2009 07:44:33 +0700
I'm guessing the OP is not in the US in which case you might find yourself in legal trouble depending on your countries laws and you'd probably be off doing a google search on the subject than talking to a very US-centric list that's bound to give you potentially incorrect advice (i.e. below). Figure that out, then decide your own set of ethics, it's your bug, do what you want with it. If you're curious for mainline 'ethics', you can dig through old advisories and find links to many researchers own disclosure policy. Mine personally is: if you paid me to find it: its up to you what I do with it otherwise: it's my bug and I'll do what I want, when I want and how I want. If you don't like it, program better. On Tue, Jun 16, 2009 at 6:54 AM, Geoffrey J Gowey<gjgowey () gmail com> wrote:
Print out the note to them from a library, pick up note using gloves, put note in self sealing envelope (minus return address), put on self adhesive stamp, then mail note from a public box in another town. Or you could email them and find out the hard way how much of a sense of humor their corporate security department has (read: lawsuit). Sent from my iPhone On Jun 15, 2009, at 11:10 AM, Giuseppe Fuggiano <giuseppe.fuggiano () gmail com> wrote:Hi list, What are, if any, the legal and "ethical" things to do before someone could publicly disclosure a given vulnerability? -- Giuseppe ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 15)
- Re: Things to do before vulnerability disclosure Geoffrey J Gowey (Jun 15)
- Re: Things to do before vulnerability disclosure Justin Ferguson (Jun 15)
- Re: Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 16)
- Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 16)
- Message not available
- Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 17)
- Re: Things to do before vulnerability disclosure Aarón Mizrachi (Jun 17)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 17)
- Re: Things to do before vulnerability disclosure Jeffrey Walton (Jun 18)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 18)
- RE: Things to do before vulnerability disclosure Nick Vaernhoej (Jun 18)
- RE: Things to do before vulnerability disclosure Paul Melson (Jun 20)
- Re: Things to do before vulnerability disclosure Geoffrey J Gowey (Jun 15)
- RE: Things to do before vulnerability disclosure Paul Melson (Jun 17)