Legalities of freelance security consultant (SQLi) [closed]

Posted by Seidr on Server Fault See other posts from Server Fault or by Seidr
Published on 2011-09-19T07:49:44Z Indexed on 2012/06/15 15:18 UTC
Read the original article Hit count: 293

Filed under:
|

Over the years I've gained a large amount of experience in Programming (my main occupation) and server admin, and as a result have a fairly decent backing in security practices. I'm also pretty good at spotting security flaws in software (including but not limited to SQLi), and have built up a list of sites that could definately use some looking at.

My question is, what are the legalities of me contacting these sites saying something along the lines of "I've looked at your site and it appears vulnerable - customer data could be compromoised - would you like me to fix it?". Could me finding out that the site is infact vulnerable be construed as an attack itself? If the prospective client so wished, could they take me to court over this?

When I find a vulnerable site, all I do is confirm and make a note of the vulnerability. I'm not in it for personal gain (getting paid for FIXING it would be nice!), just curiosity. Is this a viable way to go about finding clients for this kind of work, or would you recommend a more 'legitimate' way?

Any suggestions/advice would be greatly appreciated :)

© Server Fault or respective owner

Related posts about security

Related posts about sql-injection