Re: Informing Companies about security vulnerabilities...
- From: Dan Catalin Vasile <hardware_cta@xxxxxxxxx>
- Date: Thu, 5 Oct 2006 12:10:40 -0700 (PDT)
You can try to set them an ultimatum pretending to
disclose the holes
to the public. Perhaps they are more willing to
react if they are forced
to do so.
Yeah, right... and then call all the lawayers that you
know.
This would be blackmail, so you are eligible for a
grandious legal action against you.
My several cents: if they don't answer after one
e-mail just leave them. You have done more than
enough.
Have secure fun,
Dan
--- Andreas Putzo <putzoa@xxxxxx> wrote:
On Oct 04, Joseph McCray wrote:------------------------------------------------------------------------
Usually when we do this we only find a few simplethings (XXS for
example) - no big deal right. With this particularwebsite we just kept
finding another, after another and on and on. Over600 instances of XXS,
over 200 SQL Injection - this was bad. After awhile it started to get
boring there was so many....several other prominent
So I drafted a letter to the editor as well as
people at the newspaper. It detailed my findingand recommended some
possible mitigation strategies. After emailingthis I didn't hear
anything for a few days, so I emailed it again andfollowed up with a
phone call. After getting no response to thesecond email and then
having been bounced around from department todepartment when I called I
just said forget it.
You can try to set them an ultimatum pretending to
disclose the holes
to the public. Perhaps they are more willing to
react if they are forced
to do so.
Depending on the information you can get through the
website (customer
data anywhere?) and the laws in your country (IANAL,
btw.)
you may go to the intrigued publicity, indeed. They
gotta have to do something if
someone defaced their website actually.
--
regards,
Andreas Putzo
This List Sponsored by: Cenzichttp://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download
Hailstorm for FREE.
------------------------------------------------------------------------
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
- References:
- Re: Informing Companies about security vulnerabilities...
- From: Andreas Putzo
- Re: Informing Companies about security vulnerabilities...
- Prev by Date: Re: Informing Companies about security vulnerabilities...
- Next by Date: RE: Informing Companies about security vulnerabilities...
- Previous by thread: Re: Informing Companies about security vulnerabilities...
- Next by thread: RE: Informing Companies about security vulnerabilities...
- Index(es):
