Security report, or not to report?

Modulok modulok at
Thu Dec 25 21:39:51 UTC 2008


This isn't really FreeBSD related, but I have no one else to consult:

I was given an FTP account on a server for company X. Being a UNIX
guy, I did some poking around and discovered a security flaw in how
they set their web server up, which would permit anyone at the company
with an FTP account, to intercept ANY data that passed through the
company website.

Do I tell them about it? On the one hand I want to do the 'right
thing' and tell them about it and how to fix it. On the other, I don't
want to be criminally prosecuted for finding the flaw. I'm not
implying that they would do such a thing, but in order to find said
flaw, I had to be poking around.


More information about the freebsd-questions mailing list