it started with the usual quotation mark, but to make sure it's a real issue....well, I'm sure you know "that" feeling, again, no bad intentions at all.
It's not just a "injection point, need to fix" type of report, it's a detailed one, executive summary, injection point(s), affected parameters and recommendations on how to fix. So, It's going to be an anonymous report submitted using a throw-away email account created through tor then... thank you guys for the advice, I already had the feeling that this is how it is going to be. your help is very much appreciated, needed to be sure that my advice to him is going to be the closest thing to the right thing "Damn you conscience, damn you!" Sherif. On Thu, Jan 12, 2012 at 11:52 PM, mark cunningham < [email protected]> wrote: > Depends how much "he" has done so far. If he stuck in a quotation > mark, got an sql error and reports that, no harm done imo but if he's > aimed a tool at it or started pulling out data already, then that's > just plain stupid (which i gather he has) > > If he really wants to make things right while still covering his ass, > he could register an email address and use it as a point of contact to > inform the bank in case they have any further queries. Keep the > alternative email so the bank have some way to contact him. Provide as > much information as possible about what the bug is and how to fix it. > Don't just mention "injection point , need to fix". You should > probably highlight this with "Serious security hole" or the likes. > > It's the right thing to do and i think he should really do it despite > the fact when you inform someone of this, they may start poking around > the log files in which case, they'll see exactly what he has done. > > Had to keep going back and replacing "you" with "him" while writing > this whole email > > Mark > > On Thu, Jan 12, 2012 at 8:33 PM, Sherif El-Deeb <[email protected]> > wrote: > > Hi all, > > > > I have a friend "Bob" who found a vulnerability, (SQL injection, error > based > > -> v.fast data dumping) in a banking website that gave him access to all > > the customers' details among many other things, he is not evil, and he > came > > to me for advice: > > > > 1- He know he shouldn't have done the test in the first place without > > authorization and he is afraid that he might get prosecuted if he > reported > > it "happened before, right?". > > 2- He knows that this has to be reported because it leaves customer data > > exposed, and he has to act fast. > > 3- He would very much like to get rewarded :) not necessarily by money, a > > thank you letter will be just fine. > > > > I told him if we couldn't figure out a way to make sure he won't get > > prosecuted, He will just make the great sacrifice, be a good citizen and > > anonymously report it, and the only benefit he will gain will be > sleeping at > > night feeling little better about his self knowing that because of the > time > > and efforts he spent finding and reporting the issue, thousands and > > thousands of innocent people financial data are a bit more secure. > > > > any advices? > > > > Thanks in advance. > > Sherif Eldeeb > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
