Re: [WEB SECURITY] Reporting a security vulnerability

["Andre Gironda" <andreg@xxxxxxxxx>]

On Mon, Mar 17, 2008 at 12:27 PM, Moody Shensky <moodyshensky@xxxxxxxxx> wrote:
> For security researchers who work independently, how does the process of
> reporting newly discovered vulnerabilities (known issues like XSS, SQLi etc.
> but in new libraries) actually work? Is there a document/guideline that I
> can look at as a starting point? I have read about full-disclosure (RFP)
> policy and others but for web application security issue, is there a special
> way of doing this?

Depends on the application vendor and your police jurisdiction. In
most places in the world (including the US and the UK), it is illegal
to find vulnerabilities in web applications.  Particularly, SQLi has
caused a few people to get arrested, tried, and convicted - even if
for a good/neutral cause (how do you prove that you had good
intentions?).

My suggestion is to try responsible disclosure and see if you like it.
 However, if there is a legal problem associated with your disclosure
(e.g. privacy information or trade secrets) it may be best to see if
you can get a contract in place with the organization in question
before you disclose anything to anyone.

Cheers,
Andre

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]