Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability?

[Dotzero <dotzero () gmail com>]

On Thu, Jul 31, 2014 at 9:43 AM, Mike Peppard <mpeppard () impole com> wrote:
> Don't do this. No good deed goes unpunished.
>
> This is not the only security list I am on and while I strongly sympathize
> and would treat the OP to pizza for his friends and family out of my own
> pocket for bringing this to me, the reaction from others could be aggressive
> police and legal action.

I'm going to agree with Mike on this. You need to be very careful in
how you proceed. Looking at it from the other side, the organization
that is being contacted does not know what your motivations are. From
time to time I've had "pen-testers" reach out over things they've
found (or think they've found). Some of the approaches have sounded
suspiciously like extortion. We've noticed reputable firms hitting our
sites and when we reach out and say "what up?" they respond that they
are "doing research".

If you are an individual you want to be extra careful both in what you
are doing and how you report what you find. Even just putting it out
there publicly could get you in trouble. I have mixed feelings on this
issue because a lot of it depends on context. Just understand that
others may not view this through the same lens as you do.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------