if someone finds a security hole in a web application and wants to notifiy the admin of the page, what do you suggest are the next steps wo be taken to ensure that the admin takes the report seriously?
Make a phone call if you can. For a start, it's more personable, and the admin on the other end of the line may have an easier time understanding that you're trying to help. Somewhat cynically, you haven't written it down, so it can't be used as evidence against you, and you can more easily control the flow of information about yourself.
but i think that hiding all the information from the other side can cause 2 problems:
1. spoken information is never as accurate as written information. i mean that describing in words a problem can lead to missunderstandings (wrong ports, no basic understanding, ...).
2. control of information flow: this is just an illusion, because after calling them, i have lost control.
but i agree to the part about "no evidence against you". :)
after some searching in the web i have found 2 interessting pages at cert. http://www.cert.org/tech_tips/incident_reporting.html - this is about the way, how a report should be constructed, to whom it should go, and much more. http://www.cert.org/kb/vul_disclosure.html is the way how cert handles reports and the most interessting thing (for me) is, that they wait 45 days before disclosure.
i will see how long it takes till the admin of the site responds. i have already sent a report to the office address (the only email address listed in the contact page) and they forwarded the report to the admin.
thanks, gottfried -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
