Re: Disclosure of vulns and its legal aspects...



On Wed, May 30, 2007 at 09:14:39AM +0100, Lee Lawson wrote:
I would personally create an anoymous email account and send them some
information stating that you are a penetration tester that 'happened'
upon a possible security flaw in their website, but because of the
state of fear that some unenlightened organisations have about this
type of situation, you wish to remain anonymous at this point. Then
explain that if they are open to increasing the security of their
website, you will gladly analyse the security flaw further and give
them full disclosure, on the basis that you will be given written
permission prior to continuing further.

I hardly think that "written permission" granted after what would be
received as an extortion attempt would be valid.

If you are really intent on helping the party that's insecure, then the
only quasi-safe way to do it is to send an anonymous report that has all
the details, shows them how to reproduce the issue themselves, and urge
them to contact their local security experts to have this looked at.

The ONLY CHANCE of having your message being taken seriously is if there
is no question about your motives, and the only way to attempt that is to
remove yourself from the loop once you've sent off the report. That means
no ongoing contact, no payment, no work. You leave it to them to fix.

Even this is no guarantee - the great majority of unsolicited security
reports is ignored even if presented clearly and with an unambiguous
message disclaiming any personal gain.

It's really just not worth the trouble.

Steve

---
Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561
www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve@xxxxxxxxxxx

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------



Relevant Pages

  • RE: Pen-Test and Social Engineering
    ... "see...your network security is penetrable". ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on your ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)
  • RE: Pen-Test and Social Engineering
    ... "see...your network security is penetrable". ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on your ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)
  • RE: Nortel Contivity 2600
    ... simplicity and security is a combination of things that have been suggested. ... Put the inside interface in a DMZ of its own with an IPS device between ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping ...
    (Pen-Test)
  • RE: Windows XP SP2 and Security Tools
    ... issues that were in SP2. ... Windows XP SP2 and Security Tools ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are ...
    (Pen-Test)
  • RE: User Education (was: New article on SecurityFocus)
    ... Those responsible for the education ... > security relates to their job - about the only time they run into it is ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)