It was my first thought letting them know in anon e-mail but getting some extra cash would be great too. I guess i will stick with sending the e-mail alerting them of the situation.
thanks A 2011/12/01, às 16:55, Thor (Hammer of God) escreveu: > You are in a tough spot. In general, the level of access you granted > yourself in an unauthorized testing of the site would be considered illegal. > You may recall the whole 'or 1=1 thing. So your approach to the client is > all he would need to contact authorities if he so chose. > > Arguably, the best thing to do here would be to contact the owner and just > give them the information for free, and do so in a way that does not > implicate you in any wrongdoing. Or simply drop it. Moving forward, you > might want to consider changing your business model so that you are hired to > perform web app assessments before you start breaking laws. > > t > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Miguel Lopes > Sent: Wednesday, November 30, 2011 2:56 AM > To: [email protected] > Subject: [Full-disclosure] Client aproach > > Hi List, > > I found some major design flaws and vulnerabilities on a local webstore, but > now i would like to tell the owner nicely and maybe profit from it?! > Does anyone have some tips on how to inform a potential client of their > vulnerabilities? > > Thanks in advance, > Miguel Lopes > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
