lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 1 Dec 2011 10:08:40 -0800
From: Chris L <inchcombec@...il.com>
To: Peter Dawson <slash.pd@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Client aproach

Depending on your country/local laws (no idea where you're from), how you
discovered the vulnerabilities and if you actually tested them and gained
unauthorized access in the process then there is the possibility you're on
the wrong side of the law. If you haplessly stumbled across it and then
left it be but just know its there, you're probably safe. If you found
something that seemed odd, and actively tried to test it or to verify that
it was an issue without prior permission, you're almost certainly in
violation of some law. Even if it was very minor verification. As well a
lot of whether or not the owner decides to get police involved and try to
come after you is simply going to depend on their technological knowledge,
how they perceive the information you tell them and simply whether or not
they decide they like or not so its a real crap shoot.

I'd say your chances of getting money are slim/nil and that it would be a
bad idea to even attempt. Even if its not your intention, and even if you
make it explicitly clear that you won't use the info or disseminate the
info even if he decides not to pay you to fix it, it could still be
perceived as an extortion attempt. As others have said, the best bet is to
send an anonymous email, give him all the details and hope he takes proper
action to fix it.

If you really feel the need to let them know who you are, (or you did this
from a location where they're going to track it back to you if they check
the logs once you alert them of the problem anyway), I'd still say the best
thing to do is to simply give them all the information and some small
advice about how it may be fixed for free. There simply isn't any good way
though to get actual money out of this though without it seeming like a
shakedown/extortion or the owner simply getting cops involved because they
don't even want to bother spending any money on the issues and would rather
just label you some "elite evil hacker" and pretend their is nothing they
can do rather than spend the money.

However, if you're hellbent on it, the only relatively safe way I see to
get anything of value out of this would be to turn over all information and
advice on fixing the problem and make it clear you just want to alert them
to the problem. A lot of people aren't exactly technical and won't
understand what you're saying so you can offer to fix it, I can't stress
this enough, for FREE. Then if by the end of fixing it they appreciate your
work and think you've done well you could always ask if you can use them as
a reference, which might help get actual paying work down the road. This is
best done at the END and only if you feel that you've developed some trust
and they appreciate the help you gave them.

All that said though, safest way, as said, is simply an anonymous e-mail
and it is the best option. If you are going to stick your neck out there,
at least realize you're not likely to see any real money from it and there
is the risk you get it chopped off.


On Thu, Dec 1, 2011 at 9:04 AM, Peter Dawson <slash.pd@...il.com> wrote:

>
> Send site owner/admin anon email and leave it at that.. as Thor mentioned
> give em the info for free!
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists