At the goading of a coworker, I poked around on a public web site, and found a vunerability that could allow me to totally screw stuff up. Because I own stock in the mutli-million dollar company that ran the web site, I opted to just tell them, and not actually try out any evil stuff.
It then occured to me that although I was “just looking” I probably could have been “just looking” at several thousand credit card numbers, which seems like it could be data theft or something. A DOS attack is “just looking” a few thousand times per second. Right?
Anybody know what the real legal rammifactions are for this kind of stuff?
Oh and I just check my last prospectus, and the revenues of 1999 were about 5 billion. Can’t help but imagine how many lawyers they are going to send to rough me up.
As long as you’re not trying to extort money from them, they should be grateful to learn this. Notify the webmaster, reassuring them by letting them know that you’re a stockholder and you don’t want anything. You have a skill of knowing where the doors are, and they left a door open. I probably wouldn’t give enough details in the e-mail message to let a snooper figure out how you did it - tell them in a phone conversation.
I wouldn’t be surprised if they sent around an investigator, to see whether you’re up to no good, but you’ll be open and honest, and they’ll realize that you were doing them a big favor. They might even offer you a job.
If you actually call, call from a payphone, and if you email, email from a public terminal (library or cyber-cafe) use cash to pay. You can always check the email account (use a hotmail account that you use for -only- this one time email) from another public terminal. No need for your good intentions to land you in trouble.
Great idea, Wonko… Then they’ll think that you really are threatening them, and get them to call out the FBI on you. Sure, they probably won’t catch you, if you do it that way, and even if tey do, you might get a pardon or something…
The best route is probably to be completely open about it-- Let them know exactly who you are, by your real name and some other identifying info, and tell them why you’re concerned (you’re a stockowner). This way, they won’t feel threatened, and if they are anyway, then you stand a much better chance of demonstrating your benign intentions should it go to trial. Besides, this way they know who to offer the job to, as CurtC mentioned.
Do a web search on “intel” and “schwartz” to see what could happen with a few misunderstandings between a person and a 5 billion dollar company. As you’ve already contacted the company in question, according to your OP, I feel that what CurtC and Chronos have said has the most merit. Investigators, like dogs, can smell fear; being honest and open helps assure them that you’re not just fronting some cover story.
A good resource when dealing with electronic vulnerabilities is to get in touch with CERT. They handle these incidents all the time, and could probably give you good advice, or even help you in eleminating the vulnerability.
Oh, and I Am Not A Lawyer, This Is Not Legal Advices, &tc.
Chronos- You have a point, but I am just thinking of the old saying…
“No good deed goes unpunished”
The security dept tends to be one of the more -paranoid- departments in any company. I wouldn’t want to be on their “people to be paranoid of, and we know who they are” list.