.

Reporting a vulnerability

<<

nainsandeep

User avatar

Newbie
Newbie

Posts: 2

Joined: Wed Sep 05, 2007 11:41 pm

Post Thu Sep 06, 2007 7:16 am

Reporting a vulnerability

Hi Everyone

I recently found a vulnerability in a public website and I wish to report it to the manager. But I am not sure how he/she will react to it.

can anyone please advise me on this.. should i report it or no.. if yes how to go about it..
Looking for a break through in security industry...
<<

jimbob

Post Thu Sep 06, 2007 8:20 am

Re: Reporting a vulnerability

Hi,
It depends on a number of factors including the nature of the website, who runs it, the risk of the vulnerability and what exactly you did to identify the issue. If this is something you discovered through legitimate use of the site then there's no reason why you shouldn't report it. If you crossed over the line and did something you shouldn't have then you could potentially get yourself into trouble.

The method for reporting a security issue will differ from site to site. Look for a contacts page and send an email or give them a call. Expect to be ignored though, you may not get a response at all from them regardless of whether they choose to act on the information you give.

Jimbob
<<

dean

Post Thu Sep 06, 2007 2:14 pm

Re: Reporting a vulnerability

Jimbob is right and it does depend on a lot of factors. Were you simply a regular user of the site? What were your intentions? Did you actively seek out the vulnerability? Are you attempting to use this as an opportunity to solicit work from the site owners?

Depending on your geographical location and the location of the site, the owners could be within their rights to report/charge you.

If it was an honest discovery, check the whois information for the domain and report it to that person. Most sites should have a webmaster@ email for contacting the developers. If you are concerned about repercussions, and it sounds like you are, then use an anonymous email account to send the email. If it is a banking/e-commerce site and the vuln is severe enough (disclosing account info, etc...) you might want to report it to the governing/oversight/regulatory body for that industry, if such an entity exists.

There are numerous threads about this topic on the securityfocus lists.

On a lighter note: show you support for ' or 1=1-- , a collective security organization with a completely open membership.  :)

http://www.apostropheor1equals1dashdash.com/ - a great way to get away with "testing" a site.

Cheers,
Dean
<<

NurBo`

User avatar

Newbie
Newbie

Posts: 1

Joined: Fri Sep 07, 2007 10:41 pm

Post Fri Sep 07, 2007 11:04 pm

Re: Reporting a vulnerability

For some reason when ever you try to report something to a web admin they always think your going to or trying to hack there website : /
Just tell him in the most polite way.
Last edited by NurBo` on Fri Sep 07, 2007 11:06 pm, edited 1 time in total.
Image
<<

termight

User avatar

Newbie
Newbie

Posts: 26

Joined: Tue Aug 21, 2007 5:50 pm

Location: MARS

Post Thu Oct 04, 2007 5:24 pm

Re: Reporting a vulnerability

if you really want to report the vulnerability you found to the site admin.
why don't you create an account at gmail,yahoo or hotmail with fake info, also make sure you use a different IP cos email headers can contain ur IP and u would be tracked.if you think the email will be spammed you can drop your solution at a place the site admin will find on the wwwroot folder or somewhere safe for the admin.

this might not be ethical but it might work
>>There Is Always A Blind Spot In
>>Every Software, It's Up To Us To Find It
<<

dannioni

Newbie
Newbie

Posts: 44

Joined: Tue Sep 18, 2007 12:51 pm

Post Fri Oct 05, 2007 8:13 am

Re: Reporting a vulnerability

Well, I  would report it and then it's up to the admin. But you also have to consider if others could be hurt by this exploit. If it's a e-store maybe someone could steal creditcard numbers, but if it's just a random guys home page, well it's his problem.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software