[OWASP-South Africa] OWASP-SouthAfrica Digest, Vol 14, Issue 2

Dash Shendy admin at dash.za.net
Tue Feb 1 01:16:59 EST 2011

Yes, that is correct, it was years before I had the courage to tell someone,
let alone an organization such as a bank, as I was scared.
For the most part, people do want to plug holes and are very grateful
when alerted about such holes.
Maybe the thing to bear in mind is to not give up even if you get no
response at all, and to keep on telling
people until someone reacts.
Another thing that matters is, always try to tell the Owners (The people
that really should care and are
affected the most), instead of the Development Companies that built the
software, who sometimes are not at all
interested in revealing holes in their code to their clients, will plug
it silently and inefficiently, or will simply ignore you.
I think that approaching the right person is key here, as this could
greatly influence the results.

It can be very frustrating to be totally ignored and not taken seriously
enough. Esp. when the vulnerability is dangerous.
There are many sites on the net that advertise Security yet are insecure
themselves, which doesn't do much good for their
image.  Those organizations as well as some of the big development co.'s
can sometimes be very arrogant and completely ignore
you, or tell you that the hole isn't there, or worse "think" that they
have plugged it themselves, when clearly they haven't done a proper job.

There was only hope left in Pandora's box.

More information about the OWASP-SouthAfrica mailing list