Is there an EFF that knows middle eastern laws? On Thu, Jan 12, 2012 at 3:39 PM, Robert Wesley McGrew < [email protected]> wrote:
> Just make sure that he knows that if the "anonymous" report angers them > in the way that you fear, it will likely be a trivial matter for them to > review their logs and figure out what user has been poking around in that > specific feature. > > -- > Wesley McGrew > > On Thursday, January 12, 2012 at 3:27 PM, Sherif El-Deeb wrote: > > it started with the usual quotation mark, but to make sure it's a real > issue....well, I'm sure you know "that" feeling, again, no bad intentions > at all. > > It's not just a "injection point, need to fix" type of report, it's a > detailed one, executive summary, injection point(s), affected parameters > and recommendations on how to fix. > > So, It's going to be an anonymous report submitted using a throw-away > email account created through tor then... thank you guys for the advice, I > already had the feeling that this is how it is going to be. > > your help is very much appreciated, needed to be sure that my advice to > him is going to be the closest thing to the right thing "Damn you > conscience, damn you!" > > Sherif. > > > On Thu, Jan 12, 2012 at 11:52 PM, mark cunningham < > [email protected]> wrote: > > Depends how much "he" has done so far. If he stuck in a quotation > mark, got an sql error and reports that, no harm done imo but if he's > aimed a tool at it or started pulling out data already, then that's > just plain stupid (which i gather he has) > > If he really wants to make things right while still covering his ass, > he could register an email address and use it as a point of contact to > inform the bank in case they have any further queries. Keep the > alternative email so the bank have some way to contact him. Provide as > much information as possible about what the bug is and how to fix it. > Don't just mention "injection point , need to fix". You should > probably highlight this with "Serious security hole" or the likes. > > It's the right thing to do and i think he should really do it despite > the fact when you inform someone of this, they may start poking around > the log files in which case, they'll see exactly what he has done. > > Had to keep going back and replacing "you" with "him" while writing > this whole email > > Mark > > On Thu, Jan 12, 2012 at 8:33 PM, Sherif El-Deeb <[email protected]> > wrote: > > Hi all, > > > > I have a friend "Bob" who found a vulnerability, (SQL injection, error > based > > -> v.fast data dumping) in a banking website that gave him access to all > > the customers' details among many other things, he is not evil, and he > came > > to me for advice: > > > > 1- He know he shouldn't have done the test in the first place without > > authorization and he is afraid that he might get prosecuted if he > reported > > it "happened before, right?". > > 2- He knows that this has to be reported because it leaves customer data > > exposed, and he has to act fast. > > 3- He would very much like to get rewarded :) not necessarily by money, a > > thank you letter will be just fine. > > > > I told him if we couldn't figure out a way to make sure he won't get > > prosecuted, He will just make the great sacrifice, be a good citizen and > > anonymously report it, and the only benefit he will gain will be > sleeping at > > night feeling little better about his self knowing that because of the > time > > and efforts he spent finding and reporting the issue, thousands and > > thousands of innocent people financial data are a bit more secure. > > > > any advices? > > > > Thanks in advance. > > Sherif Eldeeb > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
