Re: [Full-disclosure] Client aproach

[Miguel Lopes <theoverblue@xxxxxxxxx>]

Thanks for the advice, the money was a long shot i will stick with the 
anonymous e-mail, giving the information and tips to fix it.

A 2011/12/01, às 18:08, Chris L escreveu:

> Depending on your country/local laws (no idea where you're from), how you 
> discovered the vulnerabilities and if you actually tested them and gained 
> unauthorized access in the process then there is the possibility you're on 
> the wrong side of the law. If you haplessly stumbled across it and then left 
> it be but just know its there, you're probably safe. If you found something 
> that seemed odd, and actively tried to test it or to verify that it was an 
> issue without prior permission, you're almost certainly in violation of some 
> law. Even if it was very minor verification. As well a lot of whether or not 
> the owner decides to get police involved and try to come after you is simply 
> going to depend on their technological knowledge, how they perceive the 
> information you tell them and simply whether or not they decide they like or 
> not so its a real crap shoot.
> 
> I'd say your chances of getting money are slim/nil and that it would be a bad 
> idea to even attempt. Even if its not your intention, and even if you make it 
> explicitly clear that you won't use the info or disseminate the info even if 
> he decides not to pay you to fix it, it could still be perceived as an 
> extortion attempt. As others have said, the best bet is to send an anonymous 
> email, give him all the details and hope he takes proper action to fix it. 
> 
> If you really feel the need to let them know who you are, (or you did this 
> from a location where they're going to track it back to you if they check the 
> logs once you alert them of the problem anyway), I'd still say the best thing 
> to do is to simply give them all the information and some small advice about 
> how it may be fixed for free. There simply isn't any good way though to get 
> actual money out of this though without it seeming like a shakedown/extortion 
> or the owner simply getting cops involved because they don't even want to 
> bother spending any money on the issues and would rather just label you some 
> "elite evil hacker" and pretend their is nothing they can do rather than 
> spend the money. 
> 
> However, if you're hellbent on it, the only relatively safe way I see to get 
> anything of value out of this would be to turn over all information and 
> advice on fixing the problem and make it clear you just want to alert them to 
> the problem. A lot of people aren't exactly technical and won't understand 
> what you're saying so you can offer to fix it, I can't stress this enough, 
> for FREE. Then if by the end of fixing it they appreciate your work and think 
> you've done well you could always ask if you can use them as a reference, 
> which might help get actual paying work down the road. This is best done at 
> the END and only if you feel that you've developed some trust and they 
> appreciate the help you gave them. 
> 
> All that said though, safest way, as said, is simply an anonymous e-mail and 
> it is the best option. If you are going to stick your neck out there, at 
> least realize you're not likely to see any real money from it and there is 
> the risk you get it chopped off.
> 
> 
> On Thu, Dec 1, 2011 at 9:04 AM, Peter Dawson <slash.pd@xxxxxxxxx> wrote:
> 
> Send site owner/admin anon email and leave it at that.. as Thor mentioned 
> give em the info for free!  
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/