Re: Reporting website vulnerabilities

From: Peter Manis (manis@digital39.com)
Date: Tue Sep 04 2007 - 18:34:01 EDT


I sent an email to their privacy department and they are supposed to
contact me. If they refuse to take action, then they will feel it is
not a security issue and there is no reason I shouldn't make the
knowledge public. After it is taken care of I may write about it so
that people signed up as an affiliate can change their passwords.

On 9/4/07, benoit noteris <noteris@gmail.com> wrote:
> hi
> i think good think to do may be to contact the administrator instead of
> public announcement
> but you do what ever you want.
>
> ben
> have a nice day
>
> 2007/9/2, Peter Manis < manis@digital39.com>:
> >
> > I am an affiliate of a website that I guess you could consider
> > popular. Everything is passed over an insecure connection, such as
> > the login, changing passwords, home address, and some other
> > information that is more sensitive.
> >
> > I have plans to contact the company and inform them about all of this,
> > however they should already know which makes it that much worse. I
> > also feel the public should know since their information is what is
> > being transmitted over an insecure connection. What is a good
> > procedure for handling things like this? I have heard companies can
> > sue if you release vulnerabilities to the public.
> >
> > - Pete
> >
> >
> ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> >
> ------------------------------------------------------------------------
> >
> >
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:05 EDT