> There for the taking are all of their customer's names, addresses, > id's and passwords, SSN's, phone numbers, *CREDIT CARD NUMBERS AND > EXPIRATION DATES* with billing addresses. > > But, if I tell them, they are going to want to know how I know. I > cracked into their web site. Although I would never use such > information, it could be argued that I performed an illegal activity > just by checking.
Personally, I'd say you had an ethical obligation to help save unwitting victims by reporting it to them. It's not your duty, you have no responsibility for it, but I'd say it would be the "right" thing to do. I would think that since you discovered the vulnerability and went straight to them to tell them about it (if you do), you shouldn't be charged with any form of crime. But then, I'm not a lawyer, and the law moves in stupid ways sometimes. Perhaps the safest way may be to approach them in writing (probably best with a letter, email may not be reliable proof should they later try anything legal) and tell them that you think that there are security vulerabilities with their site, and you're willing to provide them with full details of what is wrong, on the conditions that: (a) They cannot and will not attempt to take legal action against you for discovering/reporting the problems; (b) That you will need to make further attempts to discover the extent of the problems, and you will only do so with their permission and approval. That way, if they want you to tell them about it, they can't hold you responsible, and if they ask you to probe further to see the problem, you will be doing so on their request - make sure that you have written proof of this before you do any further looking around though. Like I said, IANAL, so you're probably best running whatever you decide to do past your lawyer first, just to be safe. I'm sure people on the list with more legal experience can provide better answers. HTH Dave P ____ � The WDVL Discussion List from WDVL.COM � ____ To Join wdvltalk, Send An Email To: mailto:wdvltalk-join@;lists.wdvl.com Send Your Posts To: [EMAIL PROTECTED] To change subscription settings to the wdvltalk digest version: http://wdvl.internet.com/WDVL/Forum/#sub ________________ http://www.wdvl.com _______________________ You are currently subscribed to wdvltalk as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
