If the bank is based in the US, the Infragard project exists just for this sort of situation.
-Josh On Thu, Jan 12, 2012 at 2:33 PM, Sherif El-Deeb <[email protected]> wrote: > Hi all, > > I have a friend "Bob" who found a vulnerability, (SQL injection, error based > -> v.fast data dumping) in a banking website that gave him access to all > the customers' details among many other things, he is not evil, and he came > to me for advice: > > 1- He know he shouldn't have done the test in the first place without > authorization and he is afraid that he might get prosecuted if he reported > it "happened before, right?". > 2- He knows that this has to be reported because it leaves customer data > exposed, and he has to act fast. > 3- He would very much like to get rewarded :) not necessarily by money, a > thank you letter will be just fine. > > I told him if we couldn't figure out a way to make sure he won't get > prosecuted, He will just make the great sacrifice, be a good citizen and > anonymously report it, and the only benefit he will gain will be sleeping at > night feeling little better about his self knowing that because of the time > and efforts he spent finding and reporting the issue, thousands and > thousands of innocent people financial data are a bit more secure. > > any advices? > > Thanks in advance. > Sherif Eldeeb > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
