Re: Consulting Question



Hi Chris,

Please correct me if i am wrong but regarding your first question, you
shouldn;t be doing that kind of approach with potential customers, as
doing some kind of "random" penetration testing in order to find
vulnerabilities is illegal and unethical.

Answering your second question a good way of contributing to the
security industry could be to post your key findings and ways to solve
the problem in security lists like this one. Obviously avoiding to put
any company names which could damage their reputation.

Hope this helps.

Fabio

On 5/8/07, sammons@xxxxxxxxxx <sammons@xxxxxxxxxx> wrote:
Hello All,

I would like to get my feet wet doing some general security consultation
work (network audits, penetration testing, etc.). My questions concerns
a proper approach to potential clients. Consider this situation, I have
found a few vulnerabilities in the company's web application product
that could lead to potential identity theft and system compromise. This
being a relatively large company, how would one go about informing the
company about this vulnerability without them leaving you 100% out of
the equation?

In the case that the company is not interested in further third-party
assistance I have a second question (concerning credit for finding such
vulnerability). What is the proper/ethical protocol for publishing a
software vulnerability? Are there any other methods that would insure
credit while protecting the company from mass exploitation? I thank you
in advanced for your input.

Best Regards,

Chris




Relevant Pages

  • SecurityFocus Microsoft Newsletter #165
    ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #174
    ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
    (Focus-Microsoft)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #171
    ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #160
    ... MICROSOFT VULNERABILITY SUMMARY ... Geeklog Forgot Password SQL Injection Vulnerability ... Atrium Software Mercur Mailserver IMAP AUTH Remote Buffer Ov... ... Sun Java Virtual Machine Slash Path Security Model Circumven... ...
    (Focus-Microsoft)