From: Morning Wood (se_cur_ity@hotmail.com)
Date: Wed May 30 2007 - 11:51:44 EDT
> itself was on it's website... My first step and only one so far was to
> write the vendor the typical "praxis" e-mail saying that there MIGHT
> be a vulnerability SOMEWHERE on their website and that i would like
> carte blanche to investigate a bit more about it. I am now stuck with
> 3 thoughts, first of all, if the answer is no ( most common perhaps)
> the vendor will be losing its chance to know where and what flaw is
> it... will i be stuck with that and not be able to publicize it to the
> security community?
When this has happened to me, I try to phone the affected party. I detail
the flaw, point them in the right direction ( email is a last resort ) , I
do not say there MIGHT be a possible flaw SOMEWHERE ( good way to raise
suspicion, they expect extortion next... ). I NEVER ask to fix or probe
more, I do tell them I am a freelance pentester, I DO NOT offer services or
offer to fix for PAY. Generally they understand, sometimes not ( questions
like "why would anyone enter bad data in my web form?" and "we have the best
devs, there is no problem" are common ), most helpfull are screenshots to
show what you mean. As for reporting / disclosing publicly... unless the
site uses a common script / cms / whathaveyou, the flaw is most likely site
specific, there realy is no need to disclose the flaw to the public ( it
simply serves no good )
cheers,
m.wood
http://exploitlabs.com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:50 EDT