From owner-freebsd-questions@FreeBSD.ORG Thu Dec 25 21:39:51 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E9851065674 for ; Thu, 25 Dec 2008 21:39:51 +0000 (UTC) (envelope-from modulok@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.184]) by mx1.freebsd.org (Postfix) with ESMTP id D28508FC1E for ; Thu, 25 Dec 2008 21:39:50 +0000 (UTC) (envelope-from modulok@gmail.com) Received: by mu-out-0910.google.com with SMTP id i2so1776811mue.3 for ; Thu, 25 Dec 2008 13:39:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=3mf5G3J7zCwV7yX6HpBef2mpL0OwXli5npUEL3sMNYk=; b=eAaFOCpn7bm8no04Hck6ueo8xLqMCnXYHL+P9dD4gzk37jHdDr8q4bFlIBiyF5iSEK Rn2ox/en0ueUkNb923GmjuqUVq0JomSnfaDok4lwu49WWYzREVCcmZLmmwY1v/5KgkWT WUhN5dmkpeFLQVmA5vUPZU7kvO+DAJV2Hiww0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=o/HkP/PL4W7Qd77yhb/5WdK1g/0Fdlw6iic9CzdKLgD31y/zmE4tMkPuuISoFjfdu1 KtFReqivIzUhgwnykbXjlEeFVZP6UWHLLNaSm6YTyBRJ1DkzyPZWLLk+Ra2ElhSZK/RW GKzYG7DJr1SNoOCIF7bkYqj9lOBk4Hhe0HCKY= Received: by 10.103.102.17 with SMTP id e17mr3610503mum.136.1230241189506; Thu, 25 Dec 2008 13:39:49 -0800 (PST) Received: by 10.103.240.1 with HTTP; Thu, 25 Dec 2008 13:39:49 -0800 (PST) Message-ID: <64c038660812251339r71c0a47dy8cb069a322555eda@mail.gmail.com> Date: Thu, 25 Dec 2008 14:39:49 -0700 From: Modulok To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Security Exploits...to report, or not to report? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Dec 2008 21:39:51 -0000 List, This isn't really FreeBSD related, but I have no one else to consult: I was given an FTP account on a server for company X. Being a UNIX guy, I did some poking around and discovered a security flaw in how they set their web server up, which would permit anyone at the company with an FTP account, to intercept ANY data that passed through the company website. Question: Do I tell them about it? On the one hand I want to do the 'right thing' and tell them about it and how to fix it. On the other, I don't want to be criminally prosecuted for finding the flaw. I'm not implying that they would do such a thing, but in order to find said flaw, I had to be poking around. Suggestions? -Modulok-