Forum Thread: Need an Ethical/Legal Review on This, Thanks

Need an Ethical/Legal Review on This, Thanks

First of all I consider myself one of the good guys.

Case:

If I find a vulnerbility on a website which I have no connection to, but I wish to let them know about this vulnerbility.

Question:

Would this be an illegal action I previously did. If I hand over the knowledge to the owner of the website, he might be "scared" of getting this information from a stranger. My worry is that this is illegal and I could be contacted by the police later on (worst case) even though trying to do a good deed.

Please let me know your thoughts on this, thanks

/Bytewiz

4 Responses

Why not contact them anonymously and let them know where the vulnerability is?
This way they can fix it and you'll be nowhere to be found.

I would contact them anonymously too if you just want to help them and don't want anything in return. However you should probably use a proxy when you give the message. I think it is first illegal when you use the exploit not if you used a scanner or found it randomly but didn't use it. However it can be hard to prove that you have not used the exploit so keep a low profile.

Depends on the exact situations. I could give examples of both cases, of the guy getting in trouble and not.

But in general, if you stay formal enough and don't get too cocky, it should work out. You'd need a good choice of words.

But if you really want nothing in return, doing it anonymously is another option.
As to real examples, they can be given for any outcome that may result.

-The Joker

Contact them and say that you are a security researcher and would like to run tests on their site to find vulnerabilities.

Save the emails and print them out for evidence.

Then you have permission to do more tests, etc

Then finally disclose that info to the owner

Share Your Thoughts

  • Hot
  • Active