Security report, or not to report?

Sahil Tandon sahil at
Thu Dec 25 23:42:35 UTC 2008

Modulok wrote:

> I was given an FTP account on a server for company X. Being a UNIX
> guy, I did some poking around and discovered a security flaw in how
> they set their web server up, which would permit anyone at the company
> with an FTP account, to intercept ANY data that passed through the
> company website.
> Question:
> Do I tell them about it? On the one hand I want to do the 'right
> thing' and tell them about it and how to fix it. On the other, I don't
> want to be criminally prosecuted for finding the flaw. I'm not
> implying that they would do such a thing, but in order to find said
> flaw, I had to be poking around.

Report it.  If you are afraid of prosecution, and do not wish to be
contacted by anyone, create a gmail (yahoo, or whatever) account to send
the message and do so from a location that can not be traced to you.

Sahil Tandon <sahil at>

More information about the freebsd-questions mailing list