Penetration Testing
Re: failure notice Jul 25 2014 03:26PM
Nikola Milosevic (nikola milosevic86 gmail com)
Well I believe the right answer is nothing. If you publicly disclose it,
you are risking being sued.

It is ethically to disclose it to them, as you did it. However, company is
not liable of giving you price or even do anything about the vulnerability
(I guess until it is too late). They don't even need to write you thank you
mail. It is good practise to do something about, and even to give price to
motivate such researches and harden their security, but no one forces them
to do so.

I know not receiving answer is quite disappointing, but I don't think you
have any other "right" option for reacting to that.

Best regards,

Nikola MiloÅ¡eviÄ?

On 25 July 2014 16:21, <MAILER-DAEMON (at) lists.securityfocus (dot) com [email concealed]> wrote:
> Hi. This is the qmail-send program at lists.securityfocus.com.
> I'm afraid I wasn't able to deliver your message to the following addresses.
> This is a permanent error; I've given up. Sorry it didn't work out.
>
> <pen-test (at) lists.securityfocus (dot) com [email concealed]>:
> ezmlm-reject: fatal: Sorry, I don't accept messages of MIME Content-Type 'multipart/alternative' (#5.2.3)
>
> --- Below this line is a copy of the message.
>
> Return-Path: <nikola.milosevic86 (at) gmail (dot) com [email concealed]>
> Received: (qmail 14541 invoked from network); 25 Jul 2014 15:21:58 -0000
> Received: from sf01mail1.securityfocus.com (HELO mail.securityfocus.com) (192.168.120.35)
> by lists.securityfocus.com with SMTP; 25 Jul 2014 15:21:58 -0000
> Received: (qmail 31663 invoked by alias); 25 Jul 2014 15:21:58 -0000
> Received: (qmail 31658 invoked from network); 25 Jul 2014 15:21:58 -0000
> Received: from sf01mx2.securityfocus.com (192.168.120.32)
> by mail.securityfocus.com with SMTP; 25 Jul 2014 15:21:58 -0000
> X-AuditID: c0a87820-b7b97ae000007517-38-53d27616e66d
> Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44])
> by sf01mx2.securityfocus.com (Symantec Messaging Gateway) with SMTP id 60.56.29975.61672D35; Fri, 25 Jul 2014 15:21:58 +0000 (GMT)
> Received: by mail-oa0-f44.google.com with SMTP id eb12so5723828oac.3
> for <pen-test (at) securityfocus (dot) com [email concealed]>; Fri, 25 Jul 2014 08:21:57 -0700 (PDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> d=gmail.com; s=20120113;
> h=mime-version:in-reply-to:references:from:date:message-id:subject:to
> :cc:content-type;
> bh=LN1bYANfptzyu7cgy3/Vf+GrzSi1bK7FavQQlZSjo5k=;
> b=GhcJgI8FetDyXZdD8M05GH7kU+0Ey+kCES0Kr0ROEmEyOSlLmdzgnSjGyfphKNiwO7
> XJs/D2opPJYpi0K8HxQmfMw7OAX+BLjKO3mnG/QzYvGNRbiePBdK4EmcQEzSnzfbg8/D
> hcSH+i9EdEwY+C0PzWvJgK3XEnjIred81agBkMWMLwtILxU3a0PYA6s3fSZdxn1D7Cw9
> TG+1vGmwk8zns8XVhXbns57I5PQanNILJLmMGJ6DHLwMYL+Eb5et21FOP+uyNMoS/0IO
> w6MZBfu1RYpQiMBMe3JnXIWrNHlXO8Ppi/zWyZVsI7C0RuZA24vTmkETXQGURdCM4Kpa
> WZfQ==
> X-Received: by 10.182.149.235 with SMTP id ud11mr23892314obb.50.1406301717486;
> Fri, 25 Jul 2014 08:21:57 -0700 (PDT)
> MIME-Version: 1.0
> Received: by 10.202.67.196 with HTTP; Fri, 25 Jul 2014 08:21:37 -0700 (PDT)
> In-Reply-To: <CACcv7ke1hEbyWwFZp41J3oSUy_ORf7tmq+015Hg7iSgyOsjnuQ (at) mail.gmail (dot) com [email concealed]>
> References: <CACcv7ke1hEbyWwFZp41J3oSUy_ORf7tmq+015Hg7iSgyOsjnuQ (at) mail.gmail (dot) com [email concealed]>
> From: Nikola Milosevic <nikola.milosevic86 (at) gmail (dot) com [email concealed]>
> Date: Fri, 25 Jul 2014 16:21:37 +0100
> Message-ID: <CAJWAiW48ZA62nXrRiL-naKBu=URGCz-tnLnUNZSEKtCEb8W=RA (at) mail.gmail (dot) com [email concealed]>
> Subject: Re: How to deal with the company that doesn't react on providing them
> information about serious security vulnerability?
> To: =?UTF-8?B?TWljaGHFgiBSeWJpxYRza2k=?= <fishmanos79 (at) gmail (dot) com [email concealed]>
> Cc: pen-test (at) securityfocus (dot) com [email concealed]
> Content-Type: multipart/alternative; boundary=001a11348abc51692c04ff062208
> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmphluJIrShJLcpLzFFi42K5GHpbR1es7FKwwaEtyhatHVtYHRg97p+5

> xR7AGMVlk5Kak1mWWqRvl8CVsXjBAaaCLwYVfz8sY2pgPKjRxcjJISFgItGwax8LhC0mceHe

> erYuRi4OIYGrjBI3D7UwQzhTGSU2n38N5rAITGeVOHmrmxmipUxief9qMJtXQFDi5MwnYKOE

> BLwlVv6eBWZzCgRKPPv3jQ0iHiCx9PRWRhCbTcBUYtH8dUwgNouAqsTWKxOA6jmA5gRI7Jvq

> CrJLWKCJUeLv/SNgvSICDhL/P2wA28UsICexeepUFgjbS2LFoqvMExgFZyE5YxaS1AJGplWM

> ksVpBoa5FUZ6xanJpUWZJZVp+cmlxXrJ+bmbGIHheGBFhcIOxgsXdQ8xMnFwXmKUlRLmZWRg

> YBDiKUgtys0siS8qzUkthoW4VAPjlLtLpxUfe7cslsn2du8drqNCUfyG87j+pM6xmu7GevbV

> bjN9fq659vmfz55ZvC1VjvV5xa6OMxr3PJycL6xwYE3PXb7z1wmdHZvZZxtfXxeW/sa112oW

> e9msn7Y/Gcq/5N9lYVp+6uzS9+Fh1z57dv2d+yh3Hvtxz/nd06tVd7iFiIQvkz+0QImlOCPR

> UIu5qDgRAP747voXAgAA
>
> --001a11348abc51692c04ff062208
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> Well I believe the right answer is nothing. If you publicly disclose it,
> you are risking being sued.
>
> It is ethically to disclose it to them, as you did it. However, company is
> not liable of giving you price or even do anything about the vulnerability
> (I guess until it is too late). They don't even need to write you thank you
> mail. It is good practise to do something about, and even to give price to
> motivate such researches and harden their security, but no one forces them
> to do so.
>
> I know not receiving answer is quite disappointing, but I don't think you
> have any other "right" option for reacting to that.
>
> Best regards,
>
> Nikola Milo=C5=A1evi=C4=87
>
>
> On 23 July 2014 11:06, Micha=C5=82 Rybi=C5=84ski <fishmanos79 (at) gmail (dot) com [email concealed]> wr=
> ote:
>
>> Hi all,
>>
>> I believe this is the best place to ask such question because I would
>> imagine that most of people reading this list have something to do
>> with discovering vulnerabilities and reporting them to parties
>> responsible.
>>
>> On the beginning of the January I have discovered some security flaw
>> which allows basically anyone to access all personal client's data
>> (full name, full address, email address and a few more) of one of the
>> most known Internet IT magazine.
>> Although I have sent information about it to 3 different contact email
>> addresses in the two months time span, the only thing I got in return
>> was information that "We have received your email and have forwarded
>> it to our main office to review and advise." received on 1st of April.
>> Since then I haven't heard from them at all.
>>
>> The easiest action I can think of is to just make a full disclosure of
>> the flaw and wait for the reaction but because this would allow almost
>> anyone to access personal data of tenths if not hundreds thousands of
>> subscribers (including me), I'd rather not do that...
>>
>> Could anyone of you propose what would be the best solution in this
>> case or maybe generally this subject can be the start for the more
>> general question - what should be done with the companies that doesn't
>> react on such information sent?
>>
>> Many thanks
>> MR
>>
>> ------------------------------------------------------------------------

>> This list is sponsored by: Information Assurance Certification Review Boa=
> rd
>>
>> Prove to peers and potential employers without a doubt that you can
>> actually do a proper penetration test. IACRB CPT and CEPT certs require a
>> full practical examination in order to become certified.
>>
>> http://www.iacertification.org
>> ------------------------------------------------------------------------

>>
>>
>
> --001a11348abc51692c04ff062208
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> <div dir=3D"ltr"><div><div>Well I believe the right answer is nothing. If y=
> ou publicly disclose it, you are risking being sued. <br><br></div>It is et=
> hically to disclose it to them, as you did it. However, company is not liab=
> le of giving you price or even do anything about the vulnerability (I guess=
> until it is too late). They don't even need to write you thank you mai=
> l. It is good practise to do something about, and even to give price to mot=
> ivate such researches and harden their security, but no one forces them to =
> do so. <br>
>
> <br></div>I know not receiving answer is quite disappointing, but I don'=
> ;t think you have any other "right" option for reacting to that.<=
> br><div><div class=3D"gmail_extra"><br clear=3D"all"><div><div dir=3D"ltr">=
> <div>
>
> Best regards,<br></div><div><br>Nikola Milo=C5=A1evi=C4=87</div></div></div=
>>
> <br><br><div class=3D"gmail_quote">On 23 July 2014 11:06, Micha=C5=82 Rybi=
> =C5=84ski <span dir=3D"ltr"><<a href=3D"mailto:fishmanos79 (at) gmail (dot) com [email concealed]" ta=
> rget=3D"_blank">fishmanos79 (at) gmail (dot) com [email concealed]</a>></span> wrote:<br><blockquote =
> class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid=
> ;padding-left:1ex">
>
> Hi all,<br>
> <br>
> I believe this is the best place to ask such question because I would<br>
> imagine that most of people reading this list have something to do<br>
> with discovering vulnerabilities and reporting them to parties<br>
> responsible.<br>
> <br>
> On the beginning of the January I have discovered some security flaw<br>
> which allows basically anyone to access all personal client's data<br>
> (full name, full address, email address and a few more) of one of the<br>
> most known Internet IT magazine.<br>
> Although I have sent information about it to 3 different contact email<br>
> addresses in the two months time span, the only thing I got in return<br>
> was information that "We have received your email and have forwarded<b=
> r>
> it to our main office to review and advise." received on 1st of April.=
> <br>
> Since then I haven't heard from them at all.<br>
> <br>
> The easiest action I can think of is to just make a full disclosure of<br>
> the flaw and wait for the reaction but because this would allow almost<br>
> anyone to access personal data of tenths if not hundreds thousands of<br>
> subscribers (including me), I'd rather not do that...<br>
> <br>
> Could anyone of you propose what would be the best solution in this<br>
> case or maybe generally this subject can be the start for the more<br>
> general question - what should be done with the companies that doesn't<=
> br>
> react on such information sent?<br>
> <br>
> Many thanks<br>
> MR<br>
> <br>
> ------------------------------------------------------------------------
<br=
>>
> This list is sponsored by: Information Assurance Certification Review Board=
> <br>
> <br>
> Prove to peers and potential employers without a doubt that you can actuall=
> y do a proper penetration test. IACRB CPT and CEPT certs require a full pra=
> ctical examination in order to become certified.<br>
> <br>
> <a href=3D"http://www.iacertification.org" target=3D"_blank">http://www.iac=
> ertification.org</a><br>
> ------------------------------------------------------------------------
<br=
>>
> <br>
> </blockquote></div><br></div></div></div>
>
> --001a11348abc51692c04ff062208--

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus