| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20061004191507.48828.qmail@cgisecurity.net> Date: Wed, 4 Oct 2006 15:15:07 -0400 (EDT) From: bugtraq@...security.net To: joe@...rnsecurityonline.com;, pen-test@...urityfocus.com Cc: bugtraq@...urityfocus.com Subject: RE: Informing Companies about security vulnerabilities... So you are admitting publicly that you and a class of students that you teach are illegally testing random public websites for the purpose of learning about security vulnerabilities? Sounds like you/your company need to speak with a lawyer. - Robert http://www.cgisecurity.com/ Application Security news and more http://www.cgisecurity.com/index.rss [RSS Security Feed] -----Original Message----- From: listbounce@...urityfocus.com [mailto:listbounce@...urityfocus.com] On Behalf Of Joseph McCray Sent: Wednesday, October 04, 2006 3:07 AM To: pen-test@...urityfocus.com Subject: Informing Companies about security vulnerabilities... This probably won't sound like that big of a deal, but it still bothered me so I figured I'd ask the list. I was teaching a Web Application Security class last week and we were performing simple XXS, SQL Injection, etc on the vulnerable web apps I use for class. Normally, I go to a live public website or two during the class and we talk about common tests to perform and how to approach certain types of websites. A common subject is how to handle large website with tons of dymanic content - so the class chose a major newspaper's website for the discussion. Usually when we do this we only find a few simple things (XXS for example) - no big deal right. With this particular website we just kept finding another, after another and on and on. Over 600 instances of XXS, over 200 SQL Injection - this was bad. After a while it started to get boring there was so many.... So I drafted a letter to the editor as well as several other prominent people at the newspaper. It detailed my finding and recommended some possible mitigation strategies. After emailing this I didn't hear anything for a few days, so I emailed it again and followed up with a phone call. After getting no response to the second email and then having been bounced around from department to department when I called I just said forget it. Has anyone else gone through a similar situation? Was the company receptive? Other companies I've contacted in the past have been quite receptive - I'm just curious if other people have gone through this as well. No need to fill the list with this, you can email me directly with your inputs and stories. -- Joe McCray Toll Free: 1-866-892-2132 Email: joe@...rnsecurityonline.com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access
Powered by blists - more mailing lists