

What to do after discovering SQL Injection vulnerability in random websites?  - mariocarvalho

After playing a little with Vega - I&#x27;m newbie in web auditions, just trying to learning something new - and auditing some websites I can see that 8&#x2F;10 websites have SQL Injection vulnerabilities classified by Vega as High. What should I do here? Email the website owner?
======
pktgen
I would be very, very, very careful here. Not sure what country you're in, but
you're setting yourself up for possible legal action, even though your
intentions are good.

------
gk1
You can email the owner with a few tips to fix the issue. You can even offer
to do a deeper inspection for some fee.

~~~
INIT_6
That might be interpreted as extortion. OP read up on responsible disclosure.

~~~
gk1
That's why I was careful to say that you should offer tips to fix the issue,
_not_ ask for money to do so. As for the second part (offering to do a
security audit), I don't see how that's any different from cold-emailing
someone with a proposal to redesign their site.

