Penetration Testing mailing list archives
Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability?
From: Dotzero <dotzero () gmail com>
Date: Thu, 31 Jul 2014 13:08:23 -0400
On Thu, Jul 31, 2014 at 9:43 AM, Mike Peppard <mpeppard () impole com> wrote:
Don't do this. No good deed goes unpunished. This is not the only security list I am on and while I strongly sympathize and would treat the OP to pizza for his friends and family out of my own pocket for bringing this to me, the reaction from others could be aggressive police and legal action.
I'm going to agree with Mike on this. You need to be very careful in how you proceed. Looking at it from the other side, the organization that is being contacted does not know what your motivations are. From time to time I've had "pen-testers" reach out over things they've found (or think they've found). Some of the approaches have sounded suspiciously like extortion. We've noticed reputable firms hitting our sites and when we reach out and say "what up?" they respond that they are "doing research". If you are an individual you want to be extra careful both in what you are doing and how you report what you find. Even just putting it out there publicly could get you in trouble. I have mixed feelings on this issue because a lot of it depends on context. Just understand that others may not view this through the same lens as you do. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- How to deal with the company that doesn't react on providing them information about serious security vulnerability? Michał Rybiński (Jul 25)
- Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Dolev Farhi (Jul 27)
- Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Tim (Jul 30)
- RE: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Mostyn, William Thomas (Tom) (Jul 30)
- Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Mike Peppard (Jul 31)
- Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Dotzero (Jul 31)