First, I fully agree that you should dump them the information anonymously and
then walk away.
But...yup, there's a but.
If you were reporting this to me, I'd likely be just a teeny tiny bit curious
about you. And chances are pretty good that you've left some tracks in my logs,
especially if you were making interesting page calls or posts. Or some manager
may ask his team, "Can we check to see if this has been exploited and track
them down?" Your hits will be part of that investigation.
While I agree, anonymous is great, if you've not maintained that anonymity in
your testing, at least be aware you can still get into some trouble. This is
one of those cases I might suggest tabling your findings and chalking it up as
a learning experience on multiple levels.
<- snip ->
On Wed, May 30, 2007 at 09:14:39AM +0100, Lee Lawson wrote:
I would personally create an anoymous email account and send them some
information stating that you are a penetration tester that 'happened'
upon a possible security flaw in their website, but because of the
state of fear that some unenlightened organisations have about this
type of situation, you wish to remain anonymous at this point. Then
explain that if they are open to increasing the security of their
website, you will gladly analyse the security flaw further and give
them full disclosure, on the basis that you will be given written
permission prior to continuing further.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
