Hi all, I have a friend "Bob" who found a vulnerability, (SQL injection, error based -> v.fast data dumping) in a banking website that gave him access to all the customers' details among many other things, he is not evil, and he came to me for advice:
1- He know he shouldn't have done the test in the first place without authorization and he is afraid that he might get prosecuted if he reported it "happened before, right?". 2- He knows that this has to be reported because it leaves customer data exposed, and he has to act fast. 3- He would very much like to get rewarded :) not necessarily by money, a thank you letter will be just fine. I told him if we couldn't figure out a way to make sure he won't get prosecuted, He will just make the great sacrifice, be a good citizen and anonymously report it, and the only benefit he will gain will be sleeping at night feeling little better about his self knowing that because of the time and efforts he spent finding and reporting the issue, thousands and thousands of innocent people financial data are a bit more secure. any advices? Thanks in advance. Sherif Eldeeb
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
