Learning the Ropes of Security Consulting?

Tin asks: "I am a web developer and as a hobby, I sometimes find various security holes in application logic (the ones that provide a malicious user with a root access, are not fixed by SPs and hotfixes and can go unnoticed/exploited for years). I then contact the company and, for a symbolic compensation, offer them to demonstrate how a potential intruder could breake in and work with their developers to fix the problem. Some companies can only deal with this in a legal way with a contract, etc. Again, this is a hobby, not a business, and I have no legal expertise in this matter whatsoever. So I would like to ask people who do this for a living and all slashdotters in general: What is the right/professional/legal/safe way to do this? What kind of compensation do you usually go for? Maybe somebody can email me a sample contract?"

Oh Dear Lord

[clark625]

My personal story goes like this: I was an undergraduate working part time in one of the non-main buildings for a large-ish business that was migrating to NT systems from a large Unix mainframe (not sure of the flavor). One day after the "cut-over", I was playing around a bit and accidentally took ownership of the building's NT Server's shares. All of them. Accounting, payroll, you name it. Apparently the consultants that were hired set things up such that anyone could do this. Oops.

So, since my boss wasn't around, I walked over to the building's supervisor and let him know what kind of trouble I just made. Besides, I couldn't seem to get the ownership changed back and I figured I was about to be fired regardless. The supervisor instead was rather impressed by my "helpfullness" and called down to the VP in charge of the network.

The next day I had to go to the main building (about 45 miles away) and see the VP in person with a few of his staff. Again, I wasn't fired, but instead considered helpful. We walked through a couple of things, and they seemed to be okay with it all. But the kicker was that they weren't at all worried. Why? Because they had already hired an insurance company to come in and audit their network. Those guys would be responsible for finding all their problems.

So, while I was considered helpful, they really weren't concerned. They figured that the insurance people would do their job and find all their problems. That's the way they wanted to run their business. That's also the way that most businesses operate. If they don't ask for help, they may not object, but they'd prefer you to just not worry about things. Perhaps if they don't think about it, it will not exist

Now, don't get me wrong--I think it's noble to help others. And I also think it's important to help secure up the 'net for everyone's sake. I mean, if I had a buggy machine that was vulnerable I would want someone to tell me. But not everyone's that way. And companies especially are afraid of some bob-the-hacker guy calling or e-mailing about a vulnerability. How would they know you haven't already exploited that vulnerability? How would they know that you haven't told your friends about it?

On the other hand, if believe a company may be vulnerable, send them an e-mail or call them up and ask them if they would mind you just checking on their machines for vulnerabilities. If they say sure, them proceed and send them a nice report if you find anything or not. If they say no, then DO NOT badger them. Politely say thanks for their time, and go on with life--even if you know they already are vulnerable. Some companies will get very unhappy and send lawyers if they find you scanning their networks and they know who did it.

I suppose being listed as an "approved security consultant" for the company's insurer would be incredibly helpful as well. But I have no idea how one would go about doing that.

Re:Oh Dear Lord

[sql*kitten]

I couldn't seem to get the ownership changed back

In NT, you take ownership of things, where in Unix you are assigned ownership of things. Just a philosophical difference.

Bad idea

[duffbeer703]

Probing people's networks and then offering to fix things is a lousy idea and will get you in trouble eventually.

Do you like door-to-door salesmen and spammers? Would you make decisions that will affect your business based on an unsolicited visit or phone call?

Conduct your business in an ethicial manner -- there is certainly no shortage of computer consulting gigs.

Safe, legally

[dillon_rinker]

IANAL, but I suggest you consult one, preferably one with expertise in this area - specifically, one who knows what you can and can't do with regard to testing network or application security. It would be very easy for a situation to go south on you. Testing security on systems you do not own may be crime in your jurisdiction. One suspicious-paranoid-incompentent manager or network supervisor is all it would take to turn you into a felon (and maybe a terrorist) for life.

Application security testing

[Nonesuch]

It appears to me that the original question is regarding testing security of an application for which you or your client have a legitimate license to use, or a full beta/demo installation. That is, testing software by executing it on your own hardware.

This may violate the EULA or 'shrinkwrap contract' for the software, but is not generally a criminal act.

When you find a flaw in an application, contacting the vendor regarding the bug is a good idea. Asking them for compensation is a bad idea, and if it is phrased in any way that could possibly be construed as blackmail, could be a criminal act.

IANAL, but I do find, report, and publicize security holes in software.