There are a number of rubs with this question, making it very interesting.
1) If you decide to anonymously divulge the issue, make sure you're conscious
of how you found out about the issue in the first place. Did your friend find
it from his home system? Any team worth their pay that receives this
information may look into their exposure, i.e. did someone already leverage
this exploit? They check their logs, see you've done it, track you down anyway.
This is especially easy if the methods leave distinct and easily-searchable log
entries.
2) If your friend or you are a customer of that bank, you might be a little
"safer" than if you were just some third party. As a concerned customer, you
could present your findings and they may treat your differently.
3) So, let's say you're a customer of this bank for the sake of this third
point. You find this exploit. You read advice on this board that says, "don't
divulge it, just keep quiet and move on with life." You found it, which means
others can likely find it. Do you remain a customer? Do you feel less secure?
That's an interesting dilemma and I think I know what the business would rather
have you do: remain a customer.
If you and your friend have no ties to the bank, then I think you're back in an
"easier" seat of either divulging, anonymously divulging, or just walking away.
<- snip ->
Friend of mine (not me, really) is working with a client of his who
claims to have inadvertently discovered a few web exploits of several
financial institutions. Does anyone have any insights as to how this guy
could bring these to the attention of the organizations involved without
being seen as a hacker? His minimal goal is to help the institutions,
optimally he would like to consult to help them rectify the issues.
