Hi, I just switched over to full-time consulting again from standard employment.
As part of basic research on warm leads, I've done some very basic network research to get a feel for their networks by querying Shodan, dnsdumpster, etc. and seeing what's there.
I've only done this on a handful of companies and I've already found a few security problems. And these aren't fly-by-night outfits; some are publicly listed, all are reasonably stable and mature.
I contacted some important employees in one such company over LinkedIn and told them that we'd found a misconfiguration and that we'd like to discuss ways to fix this and potentially a meeting where we can discuss other ways that we could help them. There was no reply, but after ~two weeks and multiple attempts to establish contact, that particular misconfiguration has been resolved.
This is frustrating because they didn't even acknowledge my message. I don't necessarily expect to land a new client just by looking at a security search engine for two seconds, but I would hope that they could at least respond to the message. Honoring the request for a quick audience for a sales pitch would be a nice bonus too.
I'm trying to pitch these companies anyway, so in theory, coming in with proof that we've already found something that they can't deny they need help with should be positive.
But this violates a lot of principles of salesmanship and negotiation. In Jim Camp's "Start with No", which I just finished, he discusses how potential customers should never be made to feel "un-OK". Starting a pitch with verifiable proof that they're failing so flagrantly seems like it's hard to spin in a "you're OK" manner.
Security disclosures are a tricky area in general as we all know. Is it best to just leave this kind of vulnerability off the table and keep the pitch from a cold sales position? Then there is no inferred accusation of incompetence making the situation more dicey.
Thoughts?
