Penetration Testing
How to deal with the company that doesn't react on providing them information about serious security vulnerability? Jul 23 2014 10:06AM
MichaĆ? RybiĆ?ski (fishmanos79 gmail com) (2 replies)
Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Jul 30 2014 04:36PM
Tim (tim-pentest sentinelchicken org) (2 replies)
Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Jul 31 2014 01:43PM
Mike Peppard (mpeppard impole com) (1 replies)
Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Jul 31 2014 05:08PM
Dotzero (dotzero gmail com)
On Thu, Jul 31, 2014 at 9:43 AM, Mike Peppard <mpeppard (at) impole (dot) com [email concealed]> wrote:
> Don't do this. No good deed goes unpunished.
>
> This is not the only security list I am on and while I strongly sympathize
> and would treat the OP to pizza for his friends and family out of my own
> pocket for bringing this to me, the reaction from others could be aggressive
> police and legal action.
>
>

I'm going to agree with Mike on this. You need to be very careful in
how you proceed. Looking at it from the other side, the organization
that is being contacted does not know what your motivations are. From
time to time I've had "pen-testers" reach out over things they've
found (or think they've found). Some of the approaches have sounded
suspiciously like extortion. We've noticed reputable firms hitting our
sites and when we reach out and say "what up?" they respond that they
are "doing research".

If you are an individual you want to be extra careful both in what you
are doing and how you report what you find. Even just putting it out
there publicly could get you in trouble. I have mixed feelings on this
issue because a lot of it depends on context. Just understand that
others may not view this through the same lens as you do.

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus