Just make sure that he knows that if the "anonymous" report angers them in the way that you fear, it will likely be a trivial matter for them to review their logs and figure out what user has been poking around in that specific feature.
-- Wesley McGrew On Thursday, January 12, 2012 at 3:27 PM, Sherif El-Deeb wrote: > it started with the usual quotation mark, but to make sure it's a real > issue....well, I'm sure you know "that" feeling, again, no bad intentions at > all. > > It's not just a "injection point, need to fix" type of report, it's a > detailed one, executive summary, injection point(s), affected parameters and > recommendations on how to fix. > > So, It's going to be an anonymous report submitted using a throw-away email > account created through tor then... thank you guys for the advice, I already > had the feeling that this is how it is going to be. > > your help is very much appreciated, needed to be sure that my advice to him > is going to be the closest thing to the right thing "Damn you conscience, > damn you!" > > Sherif. > > > On Thu, Jan 12, 2012 at 11:52 PM, mark cunningham > <[email protected] (mailto:[email protected])> wrote: > > Depends how much "he" has done so far. If he stuck in a quotation > > mark, got an sql error and reports that, no harm done imo but if he's > > aimed a tool at it or started pulling out data already, then that's > > just plain stupid (which i gather he has) > > > > If he really wants to make things right while still covering his ass, > > he could register an email address and use it as a point of contact to > > inform the bank in case they have any further queries. Keep the > > alternative email so the bank have some way to contact him. Provide as > > much information as possible about what the bug is and how to fix it. > > Don't just mention "injection point , need to fix". You should > > probably highlight this with "Serious security hole" or the likes. > > > > It's the right thing to do and i think he should really do it despite > > the fact when you inform someone of this, they may start poking around > > the log files in which case, they'll see exactly what he has done. > > > > Had to keep going back and replacing "you" with "him" while writing > > this whole email > > > > Mark > > > > On Thu, Jan 12, 2012 at 8:33 PM, Sherif El-Deeb <[email protected] > > (mailto:[email protected])> wrote: > > > Hi all, > > > > > > I have a friend "Bob" who found a vulnerability, (SQL injection, error > > > based > > > -> v.fast data dumping) in a banking website that gave him access to all > > > the customers' details among many other things, he is not evil, and he > > > came > > > to me for advice: > > > > > > 1- He know he shouldn't have done the test in the first place without > > > authorization and he is afraid that he might get prosecuted if he reported > > > it "happened before, right?". > > > 2- He knows that this has to be reported because it leaves customer data > > > exposed, and he has to act fast. > > > 3- He would very much like to get rewarded :) not necessarily by money, a > > > thank you letter will be just fine. > > > > > > I told him if we couldn't figure out a way to make sure he won't get > > > prosecuted, He will just make the great sacrifice, be a good citizen and > > > anonymously report it, and the only benefit he will gain will be sleeping > > > at > > > night feeling little better about his self knowing that because of the > > > time > > > and efforts he spent finding and reporting the issue, thousands and > > > thousands of innocent people financial data are a bit more secure. > > > > > > any advices? > > > > > > Thanks in advance. > > > Sherif Eldeeb > > > > > > _______________________________________________ > > > Pauldotcom mailing list > > > [email protected] (mailto:[email protected]) > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] (mailto:[email protected]) > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
