Middle East, and here they will most probably not get the situation right the first time ..... "they" means "The bank" and "Law Enforcement"
On Thu, Jan 12, 2012 at 11:59 PM, Josh More <[email protected]> wrote: > If the bank is based in the US, the Infragard project exists just for > this sort of situation. > > -Josh > > On Thu, Jan 12, 2012 at 2:33 PM, Sherif El-Deeb <[email protected]> > wrote: > > Hi all, > > > > I have a friend "Bob" who found a vulnerability, (SQL injection, error > based > > -> v.fast data dumping) in a banking website that gave him access to all > > the customers' details among many other things, he is not evil, and he > came > > to me for advice: > > > > 1- He know he shouldn't have done the test in the first place without > > authorization and he is afraid that he might get prosecuted if he > reported > > it "happened before, right?". > > 2- He knows that this has to be reported because it leaves customer data > > exposed, and he has to act fast. > > 3- He would very much like to get rewarded :) not necessarily by money, a > > thank you letter will be just fine. > > > > I told him if we couldn't figure out a way to make sure he won't get > > prosecuted, He will just make the great sacrifice, be a good citizen and > > anonymously report it, and the only benefit he will gain will be > sleeping at > > night feeling little better about his self knowing that because of the > time > > and efforts he spent finding and reporting the issue, thousands and > > thousands of innocent people financial data are a bit more secure. > > > > any advices? > > > > Thanks in advance. > > Sherif Eldeeb > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
