[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Deutsche Post Security Cup 2013



On 20.03.2013, at 14:59, Benji wrote:

> >>I think its getting ridiculous, if you don't have a name in the industry 
> >>you're getting sued for the vast majority of bugs you solve...
> >>And on the other hand, those same companies give away 3-15.000 for a single 
> >>bug if the researcher happens to be known :|
> 
> Examples please

Well for instance we got all those folks that got into trouble with 
jail-breaking all kinds of devices, I know this is not a bug per se but it 
still has a bad flavor to know that one aint allowed to do nothing with "his" 
hardware...
Then we got those governmental pages, who don't really care that people like us 
make their applications more secure... mostly even for free...
Here I remember the MTISC thing... MTISC was/is a client-page for ManTech (one 
of the Top weapon-systems engineer and deliverer for mostly any U.S.-Military). 
Somebody found out that "'OR 1=1" as username and password grants administrator 
level access on the site, making you able to get any invoice and delivery 
receipt (like Iraqi bases from the U.S.-military).. Well, I assume he had quite 
fun too...
Also PayPal, now they do bug-bounty, some time ago they were fairly pro-active 
with their lawyers if I remember right...

I've even had a threatening from a bavarian university because I informed them 
that having a root directory worldwide readable via apache2 fancyindexing aint 
so intelligent...

There are ofc a lot more examples, one individual I used to talk to was close 
to jail due to an SQL-Injectection disclosure...


I admit, I might have over exaggerated the situation a bit in rage.

Kind regards,

Daniel Preussker

[ Security Consultant, Network & Protocol Security and Cryptography
[ LPI & Novell Certified Linux Engineer and Researcher
[ +49 178 600 96 30
[ Daniel@xxxxxxxxxxxxx
[ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1

Attachment: PGP.sig
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/