[OWASP-South Africa] reporting vulnerabilities

Haroon Meer haroon at thinkst.com
Mon Jan 31 08:04:12 EST 2011

Hi Steven.

On Mon, Jan 31, 2011 at 10:51 AM, Steven <steven.scheffler at gmail.com> wrote:
> what is your experiences on reporting application/website vulnerabilities to
> local companies?

This comes up often enough, so I guess its worth a public reply.
Personally, i have seldom found developers who truly do not care. I.e.
most want to do good work, and a vulnerability is a bug most would
rather fix. (They are generally (eventually) happier for knowing).

(In my experience) If you want nothing out of the deal, all is good,
and there is little problem. The issue gets slightly murkier when you
actually want something from the deal. (Money, Fame, Follow Up
consulting work, etc). In such cases things look like Blackmail very
easily and you walk a fine line..

If you want nothing from it, hedge your bets. An email from a hushmail
account with sufficient details for them to fix the issue means that
they will be able to communicate with you if they need clarification,
without too much risk to you.

If you plan to build a relationship, by saying "i do this for a
living, look what i found", you need to be prepared to explain how/why
you tested their site without permission and you need to be fully
prepared to have them use the information without any benefit coming
to you.



Haroon Meer        http://thinkst.com/
Tel: +27 83 786 6637    PGP: http://thinkst.com/pgp/haroon.txt

More information about the OWASP-SouthAfrica mailing list