12Jun2009 (UTC +8) On Fri, Jun 12, 2009 at 02:56, Andres Riancho <[email protected]> wrote: > I would like to hear your experiences reporting web application > vulnerabilities to "random" websites. By "random" I mean websites that > aren't a client/friend/relative/etc of yours. > > In my experience, it has always worked out fine, as I send the > email explaining that I don't want nothing in return, and if they need > any other help understanding the vulnerability they can call me on my > phone (this gives an idea of me being somebody serious ;) . But my > experience is limited to small companies, Universities, and other > websites here in Argentina. > > What's your experience in this subject? It's story telling time! =)
Here in Filipinas [1], my experiences are never encouraging for anybody to report vulnerabilities that I have chanced upon. Even when reporting web site vandalisms that they, the web site owners / administrators, have not detected (going as far back as the days when Attrition.org was still active). The "whistleblower" is always made as a suspect. In about a dozen or more that I have accidentally discovered, none of them were grateful. Most of them would just silently receive my e-mail or call (if it's a local website), do their fixes (that takes several weeks), but no acknowledgment of any sort. Not that I expect any form of gratitude, because we believe in doing good for goodness sake, but I'm always curious (in an academic way) if I made a false-positive observation or not. In one case, I was called to a surprise meeting, only to have them express to me that they did not appreciate what I did because they thought I was out to malign them. But all turned out to be well now. In a country where electronic evidence is recognized, and where we have laws that define "illegal access", there is a real risk to being wrongfully accused. [1] http://www.tourism.gov.ph/ or http://en.wikipedia.org/wiki/Philippines or https://www.cia.gov/library/publications/the-world-factbook/geos/RP.html Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA http://www.laggui.com ( Singapore / Manila / California ) Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
