Hi, You could try contacting the guys at upSploit - https://upsploit.com/ They handle disclosure, anonymous or otherwise, of vulnerabilities with the affected parties. This allows you to distance yourself from the disclosure but still have a communctions channel open (potentially). Use an alias is you wish for further anonymity when contacting them.
Regards, Jim On 12 January 2012 20:33, Sherif El-Deeb <[email protected]> wrote: > Hi all, > > I have a friend "Bob" who found a vulnerability, (SQL injection, error based > -> v.fast data dumping) in a banking website that gave him access to all > the customers' details among many other things, he is not evil, and he came > to me for advice: > > 1- He know he shouldn't have done the test in the first place without > authorization and he is afraid that he might get prosecuted if he reported > it "happened before, right?". > 2- He knows that this has to be reported because it leaves customer data > exposed, and he has to act fast. > 3- He would very much like to get rewarded :) not necessarily by money, a > thank you letter will be just fine. > > I told him if we couldn't figure out a way to make sure he won't get > prosecuted, He will just make the great sacrifice, be a good citizen and > anonymously report it, and the only benefit he will gain will be sleeping at > night feeling little better about his self knowing that because of the time > and efforts he spent finding and reporting the issue, thousands and > thousands of innocent people financial data are a bit more secure. > > any advices? > > Thanks in advance. > Sherif Eldeeb > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
