Let me speak form the other side, from me you will always get a thank you. There is no way that we as a producer of a product can find all things. So if you find a bug or a vulnerability let us know about it.
Mattias Baecklund Software Security Engineer | Foundation 1 IFS Teknikringen 5, SE-583 30 Linköping, SWEDEN Tel +46 (0)13-460 35 16 Fax +46 (0)13-460 35 01 E-mail [email protected] www.IFSWORLD.com IFS—solutions for the agile enterprise Please consider the environment before printing my email IFS World Operations AB is a limited liability company registered in Sweden. Corporate identity number: 556040-6042. Registered office: Teknikringen 5, Box 1545, SE-581 15 Linköping. > -----Original Message----- > From: Drexx Laggui [personal] [mailto:[email protected]] > Sent: den 12 juni 2009 07:28 > To: [email protected] > Subject: Re: [W3af-users] Experiences reporting Web Application > Vulnerabilities to "random" websites > > 12Jun2009 (UTC +8) > > On Fri, Jun 12, 2009 at 02:56, Andres Riancho > <[email protected]> wrote: > > I would like to hear your experiences reporting web application > > vulnerabilities to "random" websites. By "random" I mean websites > that > > aren't a client/friend/relative/etc of yours. > > > > In my experience, it has always worked out fine, as I send the > > email explaining that I don't want nothing in return, and if they > need > > any other help understanding the vulnerability they can call me on my > > phone (this gives an idea of me being somebody serious ;) . But my > > experience is limited to small companies, Universities, and other > > websites here in Argentina. > > > > What's your experience in this subject? It's story telling time! > =) > > Here in Filipinas [1], my experiences are never encouraging for > anybody to report vulnerabilities that I have chanced upon. Even when > reporting web site vandalisms that they, the web site owners / > administrators, have not detected (going as far back as the days when > Attrition.org was still active). > > The "whistleblower" is always made as a suspect. In about a dozen or > more that I have accidentally discovered, none of them were grateful. > Most of them would just silently receive my e-mail or call (if it's a > local website), do their fixes (that takes several weeks), but no > acknowledgment of any sort. Not that I expect any form of gratitude, > because we believe in doing good for goodness sake, but I'm always > curious (in an academic way) if I made a false-positive observation or > not. In one case, I was called to a surprise meeting, only to have > them express to me that they did not appreciate what I did because > they thought I was out to malign them. But all turned out to be well > now. > > In a country where electronic evidence is recognized, and where we > have laws that define "illegal access", there is a real risk to being > wrongfully accused. > > [1] http://www.tourism.gov.ph/ or > http://en.wikipedia.org/wiki/Philippines or > https://www.cia.gov/library/publications/the-world- > factbook/geos/RP.html > > > Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA > http://www.laggui.com ( Singapore / Manila / California ) > Computer forensics; Penetration testing; QMS & ISMS developers; K- > Transfer > PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E > > ----------------------------------------------------------------------- > ------- > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables unlimited > royalty-free distribution of the report engine for externally facing > server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users ------------------------------------------------------------------------------ CONFIDENTIALITY AND DISCLAIMER NOTICE This e-mail, including any attachments, is confidential and intended only for the addressee. If you are not the intended recipient, please notify us immediately and delete this e-mail from your system. Any use or disclosure of the information contained herein is strictly prohibited. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
