[Pauldotcom] He is not evil, checked a site without authorization, found an issue...then what?
jmore at starmind.org
Thu Jan 12 20:59:30 UTC 2012
If the bank is based in the US, the Infragard project exists just for
this sort of situation.
On Thu, Jan 12, 2012 at 2:33 PM, Sherif El-Deeb <archeldeeb at gmail.com> wrote:
> Hi all,
> I have a friend "Bob" who found a vulnerability, (SQL injection, error based
> -> v.fast data dumping) in a banking website that gave him access to all
> the customers' details among many other things, he is not evil, and he came
> to me for advice:
> 1- He know he shouldn't have done the test in the first place without
> authorization and he is afraid that he might get prosecuted if he reported
> it "happened before, right?".
> 2- He knows that this has to be reported because it leaves customer data
> exposed, and he has to act fast.
> 3- He would very much like to get rewarded :) not necessarily by money, a
> thank you letter will be just fine.
> I told him if we couldn't figure out a way to make sure he won't get
> prosecuted, He will just make the great sacrifice, be a good citizen and
> anonymously report it, and the only benefit he will gain will be sleeping at
> night feeling little better about his self knowing that because of the time
> and efforts he spent finding and reporting the issue, thousands and
> thousands of innocent people financial data are a bit more secure.
> any advices?
> Thanks in advance.
> Sherif Eldeeb
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> Main Web Site: http://pauldotcom.com
More information about the Pauldotcom