Hello guys!
I have discovered some vulnerable websites owned by companies and organizations of my country. These websites have critical vulnerabilities. On some it is possible to do an unauthorized login, on others to run any SQL command and delete/create/modify files, to name a few.
I would like to know how I can approach these organizations and propose a vulnerability assessment on these websites.
- Should I (phone) call them? If so, what should I say?
- Should I write a letter? If so, what should be the template and contents?
And what about a (full) security audit?
If you know of a website or book that addresses these issues I would appreciate!
NOTE: I am very interested in how to contact them and sign a contract with them.
How to propose a security audit / pen-test?
Moderator: General Moderators
-
leonel.machava
- Forum Newbie
- Posts: 10
- Joined: Fri May 15, 2009 4:28 pm
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: How to propose a security audit / pen-test?
Email is a valid method to inform someone. You can leave your phone number in the message if you want.leonel.machava wrote:I would like to know how I can approach these organizations and propose a vulnerability assessment on these websites.
- Should I (phone) call them? If so, what should I say?
- Should I write a letter? If so, what should be the template and contents?
As far as public disclosure goes, you should always contact them and let them patch the vulnerabilities. It should be up to them, not the originator, to decide whether disclose anything to the public. It should be noted that even if a vulnerability is not publicly disclosed, the likelihood of exploiting vulnerabilities on unpatched software versions increases due to the possibility of reverse-engineering the patches.
What kind of contract are you talking about here? To fix the vulnerabilities in exchange for $?leonel.machava wrote:NOTE: I am very interested in how to contact them and sign a contract with them.
-
leonel.machava
- Forum Newbie
- Posts: 10
- Joined: Fri May 15, 2009 4:28 pm
Re: How to propose a security audit / pen-test?
Thank you kaisellgren!
Well, in my country, security is still something alien. A few developers are aware of it.
Any help here, please.
Well, in my country, security is still something alien. A few developers are aware of it.
I usually do it for websites of foreign countries. I email them with the info about the vulnerabilities.kaisellgren wrote:Email is a valid method to inform someone. You can leave your phone number in the message if you want.
As far as public disclosure goes, you should always contact them and let them patch the vulnerabilities. It should be up to them, not the originator, to decide whether disclose anything to the public. It should be noted that even if a vulnerability is not publicly disclosed, the likelihood of exploiting vulnerabilities on unpatched software versions increases due to the possibility of reverse-engineering the patches.
Yes. I think it is a big oportunity for me to make some $. I don't know anyone else who can help them and I am sure they don't know how to fix the vulnerabilities.kaisellgren wrote:What kind of contract are you talking about here? To fix the vulnerabilities in exchange for $?
Any help here, please.
Re: How to propose a security audit / pen-test?
I'm all for public disclosure, sure it could possibly end up in the wrong hands, but the clients of said company also have a right to know so they can switch to a better company. But if any money, or human life is at stake then no dont publicly disclose it.
If I were you I would give them one freeby and charge them $500 - $1,500 to explain each additional security hole and fix it for them
If I were you I would give them one freeby and charge them $500 - $1,500 to explain each additional security hole and fix it for them
-
leonel.machava
- Forum Newbie
- Posts: 10
- Joined: Fri May 15, 2009 4:28 pm
Re: How to propose a security audit / pen-test?
Thank you josh!