Security report, or not to report?

APseudoUtopia apseudoutopia at
Thu Dec 25 21:43:02 UTC 2008

On Thu, Dec 25, 2008 at 4:39 PM, Modulok <modulok at> wrote:
> List,
> This isn't really FreeBSD related, but I have no one else to consult:
> I was given an FTP account on a server for company X. Being a UNIX
> guy, I did some poking around and discovered a security flaw in how
> they set their web server up, which would permit anyone at the company
> with an FTP account, to intercept ANY data that passed through the
> company website.
> Question:
> Do I tell them about it? On the one hand I want to do the 'right
> thing' and tell them about it and how to fix it. On the other, I don't
> want to be criminally prosecuted for finding the flaw. I'm not
> implying that they would do such a thing, but in order to find said
> flaw, I had to be poking around.
> Suggestions?
> -Modulok-

Personally, I'd tell them.

More information about the freebsd-questions mailing list