Re: How to report a Vulnerability to a Company
('binary' encoding is not supported, stored as-is)
Hello. To answer your question, it really depends on your position within the company. I have released many vulnerabilities to my company; I have even handed our CIO a print out of my terminal from the hack. Being a Senior Unix Engineer, I can get away with reporting issues of that level because it is an assumed responsibility. If your not in that type of position, the first thing your company will probably want to know is why where you looking for vulnerabilities in the first place. I would recommend having a good answer ready for them. If your position does not have that responsibility, then you really have to have permission from the company before you can go wild on their network looking for hacks. My recommendation would be to talk with someone you trust in a higher technical position and see how they recommend you release this information based off of your companies policies and procedures. What you don't want to happen is they fix the vulnerability, then hang you up to
dry for finding/hacking it. Be careful, sometimes even though its the ethical thing to do it might not be worth your job. If it is really that large of a hole, you can always submit it anonymously.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7
: Sat Apr 12 2008 - 10:58:19 EDT