Should i tell them

[foota]

Hello, I recently found a stupidly vulnerable business's site and wanted to know if I should send an email to the site admin telling him, and giving advice on how to fix it. On the one hand i want to help them and make there site, but on the other I don't want to get into trouble for exploring their site. What would you do?

[Goatboy]

Speaking from experience, I'd say keep it to yourself. Most people won't be too thrilled to find out that you know their weaknesses. And even if they don't take legal action, they usually won't fix the hole anyways.

[foota]

Ok, thank you. It's a sad age when people won't even let you save them.

[mutantsrus]

Indeed. I got in a lot of trouble at my school for trying to help find vulns on our distance learning site. It was fine at first... until the teacher blatantly lied to my principal to save her job. -_-

[sanddbox]

If you don't know the business, then go for it.

If it's your job or something else, don't.

[tremor77]

There are securities companies who do that sort of thing for a living however.. so, If you want to make a handy buck...

1. Get a business license.
2. Setup a website describing what you do.
3. Get an attorney.
4. Create an e-mail template AND a mailable letter template that sounds very professional.. and here is why...
5. Contact the business owner (NOT THEIR TECH OR WEBMASTER - because they will lie to save their job).
6. Explain clearly the security vulnerabilities found... with note, 'your IT staff should be able to fix this'.
7. If NOT - My company 'your company name' is available for $X to resolve your it problems.

This does in fact work.. I have friends who work for a security company just like the above.. it's where I'm trying to get a job actually, but I have a History Degree... lolz.. wtf is in a degree anyway, I can program better than half the monkeys coming our of RIT

[foota]

Would if I could but no-one likes taking security advice from a 15 year old.

[Goatboy]

If you don't care about personal recognition, you can always email them anonymously. There are tons of services out there to do just that. Google it. Then you at least feel better having reported it.

[Microelite7711]

In my experience, I emailed them about it. No response so I went ahead and exploited it. It was hilarious and they sent me a non-threatening email finally and they fixed it. I was 16 then, and I wouldn't recommend following the same path.