Thanks for the advice, the money was a long shot i will stick with the anonymous e-mail, giving the information and tips to fix it.
A 2011/12/01, às 18:08, Chris L escreveu: > Depending on your country/local laws (no idea where you're from), how you > discovered the vulnerabilities and if you actually tested them and gained > unauthorized access in the process then there is the possibility you're on > the wrong side of the law. If you haplessly stumbled across it and then left > it be but just know its there, you're probably safe. If you found something > that seemed odd, and actively tried to test it or to verify that it was an > issue without prior permission, you're almost certainly in violation of some > law. Even if it was very minor verification. As well a lot of whether or not > the owner decides to get police involved and try to come after you is simply > going to depend on their technological knowledge, how they perceive the > information you tell them and simply whether or not they decide they like or > not so its a real crap shoot. > > I'd say your chances of getting money are slim/nil and that it would be a bad > idea to even attempt. Even if its not your intention, and even if you make it > explicitly clear that you won't use the info or disseminate the info even if > he decides not to pay you to fix it, it could still be perceived as an > extortion attempt. As others have said, the best bet is to send an anonymous > email, give him all the details and hope he takes proper action to fix it. > > If you really feel the need to let them know who you are, (or you did this > from a location where they're going to track it back to you if they check the > logs once you alert them of the problem anyway), I'd still say the best thing > to do is to simply give them all the information and some small advice about > how it may be fixed for free. There simply isn't any good way though to get > actual money out of this though without it seeming like a shakedown/extortion > or the owner simply getting cops involved because they don't even want to > bother spending any money on the issues and would rather just label you some > "elite evil hacker" and pretend their is nothing they can do rather than > spend the money. > > However, if you're hellbent on it, the only relatively safe way I see to get > anything of value out of this would be to turn over all information and > advice on fixing the problem and make it clear you just want to alert them to > the problem. A lot of people aren't exactly technical and won't understand > what you're saying so you can offer to fix it, I can't stress this enough, > for FREE. Then if by the end of fixing it they appreciate your work and think > you've done well you could always ask if you can use them as a reference, > which might help get actual paying work down the road. This is best done at > the END and only if you feel that you've developed some trust and they > appreciate the help you gave them. > > All that said though, safest way, as said, is simply an anonymous e-mail and > it is the best option. If you are going to stick your neck out there, at > least realize you're not likely to see any real money from it and there is > the risk you get it chopped off. > > > On Thu, Dec 1, 2011 at 9:04 AM, Peter Dawson <slash...@gmail.com> wrote: > > Send site owner/admin anon email and leave it at that.. as Thor mentioned > give em the info for free! > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
