[Owasp-Recife] Fwd: [OWASP-PB] Fwd: How to deal with the company that doesn't react on providing them information about serious security vulnerability?

Caio Dias caio.dias at owasp.org
Wed Jul 30 17:03:13 UTC 2014


Repassando...

Begin forwarded message:
> 
> ---------- Forwarded message ----------
> From: Tim <tim-pentest at sentinelchicken.org>
> Date: 2014-07-30 13:36 GMT-03:00
> Subject: Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability?
> To: Michał Rybiński <fishmanos79 at gmail.com>
> Cc: pen-test at securityfocus.com
> 
> 
> Have you tried contacting their public relations department?
> Marketing department?  Try to get them on the phone.  Those kinds of
> folks have a big interest in protecting the brand of the company and
> they have the ear of executives.  Failing that, make the issue very
> public on social media (as already suggested), but perhaps don't
> release technical details right away.
> 
> Another avenue would be to contact government authorities who are in
> charge of enforcing privacy laws.  In the US, most states have a
> public disclosure law on the books which requires companies to notify
> their customer when their information is exposed.  Clearly information
> is being exposed as we speak.  Individual state Attorney Generals
> might be interested to know that.
> 
> tim
> 
> 
> On Wed, Jul 23, 2014 at 11:06:29AM +0100, Michał Rybiński wrote:
> > Hi all,
> >
> > I believe this is the best place to ask such question because I would
> > imagine that most of people reading this list have something to do
> > with discovering vulnerabilities and reporting them to parties
> > responsible.
> >
> > On the beginning of the January I have discovered some security flaw
> > which allows basically anyone to access all personal client's data
> > (full name, full address, email address and a few more) of one of the
> > most known Internet IT magazine.
> > Although I have sent information about it to 3 different contact email
> > addresses in the two months time span, the only thing I got in return
> > was information that "We have received your email and have forwarded
> > it to our main office to review and advise." received on 1st of April.
> > Since then I haven't heard from them at all.
> >
> > The easiest action I can think of is to just make a full disclosure of
> > the flaw and wait for the reaction but because this would allow almost
> > anyone to access personal data of tenths if not hundreds thousands of
> > subscribers (including me), I'd rather not do that...
> >
> > Could anyone of you propose what would be the best solution in this
> > case or maybe generally this subject can be the start for the more
> > general question - what should be done with the companies that doesn't
> > react on such information sent?
> >
> > Many thanks
> > MR
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review Board
> >
> > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
> >
> > http://www.iacertification.org
> > ------------------------------------------------------------------------
> >
> 
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
> 
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
> 
> http://www.iacertification.org
> ------------------------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-recife/attachments/20140730/23357668/attachment.html>


More information about the Owasp-recife mailing list