Re: [Full-disclosure] Client aproach

[Miguel Lopes <theoverblue@xxxxxxxxx>]

It was my first thought letting them know in anon e-mail but getting some extra 
cash would be great too.
I guess i will stick with sending the e-mail alerting them of the situation.

thanks

A 2011/12/01, às 16:55, Thor (Hammer of God) escreveu:

> You are in a tough spot.   In general, the level of access you granted 
> yourself in an unauthorized testing of the site would be considered illegal.  
> You may recall the whole 'or 1=1 thing.   So your approach to the client is 
> all he would need to contact authorities if he so chose.  
> 
> Arguably, the best thing to do here would be to contact the owner and just 
> give them the information for free, and do so in a way that does not 
> implicate you in any wrongdoing.  Or simply drop it.  Moving forward, you 
> might want to consider changing your business model so that you are hired to 
> perform web app assessments before you start breaking laws.  
> 
> t
> 
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Miguel Lopes
> Sent: Wednesday, November 30, 2011 2:56 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] Client aproach
> 
> Hi List,
> 
> I found some major design flaws and vulnerabilities on a local webstore, but 
> now i would like to tell the owner nicely and maybe profit from it?!
> Does anyone have some tips on how to inform a potential client of their 
> vulnerabilities?
> 
> Thanks in advance,
> Miguel Lopes
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/