Information Security Sell Out: White Hats & Application Security
Interesting post on the Information Security Sell out blog which comments on story from CNet here and a post over a StillSecure here
I'm mainly with the sellout guy. Whilst it's a shame that we lose an aspect of bug finding, there's no way for a company who see malicious traffic to tell what the intent of the person generating it is and the defence of "I was researching their web site security your honour" doesn't and shouldn't work.
All that said there is a problem and here it is. with the current climate if I find a security vulnerability in a site through legitimate traffic I probably won't report it because I don't want to deal with the possibility that the site owner will take it the wrong way and accuse me of hacking.
Here's an example. I clicked on a link to a site from a forum I hang out on, took me to the site.... LOGGED-IN as the user who'd posted the link, with the ability to view and update his profile on the site!
The site had made the very stupid mistake of putting the session identifier in the URL (D'oh). So completely legitimate traffic, security problem identified. But if I report it, they could easily scream "hacker" and I'd have a world of hassle to deal with which I don't need. so I quietly told the forum poster, he removed the link and I went on my way..
So there is a fine line here. Find a problem through legitimate traffic fine... Think "ooh a problem, what happens if I try ' OR 1=1;-- " not so fine.
What might be good would be a mechanism for people to report suspected problems to a central point anonymously that could then notify site owners...