[OWASP-South Africa] reporting vulnerabilities
daniel.cuthbert at owasp.org
Mon Jan 31 09:17:44 EST 2011
Also be aware that some companies might take it as an attack against them
(you were not authorised, therefore it's illegal). word your first email
with them carefully. Shout if you need help
On 31 January 2011 15:04, Haroon Meer <haroon at thinkst.com> wrote:
> Hi Steven.
> On Mon, Jan 31, 2011 at 10:51 AM, Steven <steven.scheffler at gmail.com>
> > what is your experiences on reporting application/website vulnerabilities
> > local companies?
> This comes up often enough, so I guess its worth a public reply.
> Personally, i have seldom found developers who truly do not care. I.e.
> most want to do good work, and a vulnerability is a bug most would
> rather fix. (They are generally (eventually) happier for knowing).
> (In my experience) If you want nothing out of the deal, all is good,
> and there is little problem. The issue gets slightly murkier when you
> actually want something from the deal. (Money, Fame, Follow Up
> consulting work, etc). In such cases things look like Blackmail very
> easily and you walk a fine line..
> If you want nothing from it, hedge your bets. An email from a hushmail
> account with sufficient details for them to fix the issue means that
> they will be able to communicate with you if they need clarification,
> without too much risk to you.
> If you plan to build a relationship, by saying "i do this for a
> living, look what i found", you need to be prepared to explain how/why
> you tested their site without permission and you need to be fully
> prepared to have them use the information without any benefit coming
> to you.
> Haroon Meer http://thinkst.com/
> Tel: +27 83 786 6637 PGP: http://thinkst.com/pgp/haroon.txt
> OWASP-SouthAfrica mailing list
> OWASP-SouthAfrica at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-SouthAfrica