What to do after discovering SQL Injection vulnerability in random websites?

3 points by mariocarvalho ↗ HN
After playing a little with Vega - I'm newbie in web auditions, just trying to learning something new - and auditing some websites I can see that 8/10 websites have SQL Injection vulnerabilities classified by Vega as High. What should I do here? Email the website owner?

4 comments

[ 5.0 ms ] story [ 23.2 ms ] thread
You can email the owner with a few tips to fix the issue. You can even offer to do a deeper inspection for some fee.
That might be interpreted as extortion. OP read up on responsible disclosure.
That's why I was careful to say that you should offer tips to fix the issue, not ask for money to do so. As for the second part (offering to do a security audit), I don't see how that's any different from cold-emailing someone with a proposal to redesign their site.
I would be very, very, very careful here. Not sure what country you're in, but you're setting yourself up for possible legal action, even though your intentions are good.