Results 1 to 7 of 7

Thread: Getting Business

  1. #1

    Thread Starter
    Frenzied Member Memnoch1207's Avatar
    Join Date
    Feb 2002
    Location
    DUH, Guess...Hint: It's really hot!
    Posts
    1,861

    Getting Business

    So here's my question.... I'm a Software Developer and Security Consultant. I specialize in web based application security, SQL Injection, XSS, etc...

    I have found numerous web development companies around my area that have created data driven websites or web based applications for their customers. About 75% of these websites/applications they are creating have severe vulnerabilities. Vulnerabilities that can allow a hacker to steal their data, take control of their server, corrupt/delete their data, etc...

    being in my shoes how would/could you approach these companies, inform them of their issues and offer your services?

    Note: I've broken no laws, crossed no unethical lines in determining these vulnerabilities. I just did some simple tests to determine if any vulnerabilities existed.

    I did email one of the companies informing them of their vulnerabilities. I didn't offer my services, but I definitely mentioned that I was a security consultant.
    Last edited by Memnoch1207; Nov 8th, 2005 at 11:54 PM.
    Being educated does not make you intelligent.

    Need a weekend getaway??? Come Visit

  2. #2
    Software Carpenter dee-u's Avatar
    Join Date
    Feb 2005
    Location
    Pinas
    Posts
    11,127

    Re: Getting Business

    If you want serious answers perhaps you have to ask a moderator to a more appropriate section or add a serious tag in the title...
    Regards,


    As a gesture of gratitude please consider rating helpful posts. c",)

    Some stuffs: Mouse Hotkey | Compress file using SQL Server! | WPF - Rounded Combobox | WPF - Notify Icon and Balloon | NetVerser - a WPF chatting system

  3. #3
    Hyperactive Member Juan Carlos Rey's Avatar
    Join Date
    Aug 1999
    Location
    Mendoza, Argentina
    Posts
    301

    Re: Getting Business

    Quote Originally Posted by Memnoch1207
    Note: I've broken no laws, crossed no unethical lines in determining these vulnerabilities.
    Black mail them.
    Combat poverty: kill a poor!!

  4. #4
    PowerPoster Static's Avatar
    Join Date
    Oct 2000
    Location
    Rochester, NY
    Posts
    9,390

    Re: Getting Business

    Maybe you could email the webmaster... inform them of the security holes.
    tell them u are a security consultant and would love the chance to work for them to repair the problems... something along those lines.. dont give them specific details of what the issues are. (Thats only if they hire, or inquire about your services)
    JPnyc rocks!! (Just ask him!)
    If u have your answer please go to the thread tools and click "Mark Thread Resolved"

  5. #5
    Lively Member deranged's Avatar
    Join Date
    Jun 2004
    Location
    TN
    Posts
    104

    Re: Getting Business

    Quote Originally Posted by Static
    Maybe you could email the webmaster... inform them of the security holes.
    tell them u are a security consultant and would love the chance to work for them to repair the problems... something along those lines.. dont give them specific details of what the issues are. (Thats only if they hire, or inquire about your services)
    I would also suggest that you put some extra time into writing the email, making sure that it doesn't seem like spam generated by a program that just knows to substitute a general string like '[NAME]' to their first name.

    And like static said, don't give him enough information that he can fix it himself or that he could get others to fix it for cheaper, but give him enough information so that he knows that there is a real risk. Maybe even give him a piece of information that, as admin, he can find out easily, but, as a normal user, you shouldn't be able to find out. Give him a very vague explanation of how you got it (i.e. there was an exploit in X script that allows such information out). Also warn him of the dangers of such exploits and what it may cost him if he doesn't get it fixed.

  6. #6
    PowerPoster
    Join Date
    Jul 2002
    Location
    Dublin, Ireland
    Posts
    2,148

    Re: Getting Business

    I would be very wary of actually checking their system and telling them you have done this as this is into a grey area legally.

    Instead say that "In my experience many companies have security holes. If you were to employ me I would test your site by [..clever stuff here..]"

  7. #7
    Hyperactive Member vbcode1980's Avatar
    Join Date
    Nov 2005
    Location
    Anywhere the wind blows
    Posts
    365

    Re: Getting Business

    Just fix the holes and then charge them!

    If they don't want to pay, tell them that it's just as easy for you to open up the security holes again..
    I code C#....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width