Yes, you are absolutely right, option 2 is risky. We are an infosec
organization exclusively which carried some weight with them. We
weren't just someone who found an issue and reported it which is why I
asked if this person was an infosec professional. For the incident we
reported this to the company and they were appreciative of it. They
weren't a bank, but they were sizable and the nature of the issue
could have caused them to go out of business if it had been
exploited. I know little more than that as I did not feel I had a need
to know.
An anonymous tip line would be good in this case... I too wonder if
there is such a thing. It really is in the businesses best interest...
If the bank has an incident response plan most IR teams have the
ability for an employee to report an incident anonymously... I wonder
if the same logic could be used for a non-employee...
-J
On 7/25/07, Jax Lion <jv4l1n4@gmail.com> wrote:
So Jason - what happened to your collegue?
IMHO - I don't think option 2 is a good idea. Questions will come up
such as - how did you discover the vulnerability in the first place.
What were you doing... and it all goes downhill from there.
I don't agree with keeping quiet either...
Is there a medium where we can report the "accidental discoveries"
without risk of prosecution? Like a hot tip line with the FBI or
something.
On 7/25/07, Jason Thompson <securitux@gmail.com> wrote:
> Risky... is this person a security professional?
>
> This has happened to one of my colleagues before as well. There are
> two solutions that are possible:
>
> 1) Do not reveal this or tell anyone about it. Leave it be. As there
> is this heightened sense of urgency among banks to thwart potential
> attackers the person could be in trouble with the bank for simply
> discovering the issue. It really all depends on the person he or she
> deals with there. Not saying it would hold up in court, it likely
> wouldn't, but anyone who has the ability to find exploits is generally
> regarded in a dim light by those who are uneducated on the subject.
>
> 2) Notify the bank's incident response team / security staff, OFFER a
> non-disclosure agreement to them saying that you will not disclose
> this to anyone regardless of what actions the bank decides to take on
> their vulnerability, and state that this was discovered by accident
> and that he or she simply wants to notify them about the issue and IS
> NOT seeking ANY SORT of compensation. If they are notified and it
> follows with the statement 'I would be willing to help consult you on
> the solution for a small compensation' it instantly becomes extortion
> and this person will likely be thrown in jail.
>
> I am not a lawyer by any means, I am simply speaking from past
> experiences and what I have seen happen to those who did things the
> right way and the wrong way.
>
> Solution 2 is a lot easier if your friend's client works in
> information security and holds federal clearances and security
> designations. Real ones, not Cisco or something :)
>
> -J
>
> On 25 Jul 2007 13:34:29 -0000, securityz@delahunty.com
> <securityz@delahunty.com> wrote:
> > Friend of mine (not me, really) is working with a client of his who claims
to have inadvertently discovered a few web exploits of several financial
institutions. Does anyone have any insights as to how this guy could bring these to
the attention of the organizations involved without being seen as a hacker? His
minimal goal is to help the institutions, optimally he would like to consult to help
them rectify the issues.
> >
> >
> > thx
> >
> > Steve
> >
>
