Re: Informing Companies about security vulnerabilities...



On Oct 04, Joseph McCray wrote:
Usually when we do this we only find a few simple things (XXS for
example) - no big deal right. With this particular website we just kept
finding another, after another and on and on. Over 600 instances of XXS,
over 200 SQL Injection - this was bad. After a while it started to get
boring there was so many....

So I drafted a letter to the editor as well as several other prominent
people at the newspaper. It detailed my finding and recommended some
possible mitigation strategies. After emailing this I didn't hear
anything for a few days, so I emailed it again and followed up with a
phone call. After getting no response to the second email and then
having been bounced around from department to department when I called I
just said forget it.

You can try to set them an ultimatum pretending to disclose the holes
to the public. Perhaps they are more willing to react if they are forced
to do so.
Depending on the information you can get through the website (customer
data anywhere?) and the laws in your country (IANAL, btw.)
you may go to the intrigued publicity, indeed. They gotta have to do something if
someone defaced their website actually.


--
regards,
Andreas Putzo




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



Relevant Pages

  • Re: Informing Companies about security vulnerabilities...
    ... security vulnerabilities... ... the vulnerable web apps I use for class. ... I go to a live public website or two during the class and we talk ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: Informing Companies about security vulnerabilities...
    ... I know it is your responsability to teach your students how to ... Depending on the information you can get through the website (customer ... Need to secure your web apps? ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: Website detection
    ... these webservers have the website on the main url like ... Need to secure your web apps? ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ...
    (Pen-Test)
  • Re: Informing Companies about security vulnerabilities...
    ... The Editor Does Not Do Web Security. ... Depending on the information you can get through the website (customer ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ...
    (Pen-Test)
  • Re: Informing Companies about security vulnerabilities..
    ... However if you read the email you'd know he did in fact test it, ... this implies testing. ... He then states how he contacted this particular website to let them know he found vulns in their site. ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)