Best way to pitch for a contact.

**jon** · Nov 21st, 2007, 6:33 am

Hi,

We have recently come across a pretty large local companies website that has a few massive gaping holes in the system. Things like parsing database query's in the URL on lots of different occasions. It would be possible to delete the entire database just with a few variable changes on a few different urls.

Needless to say we haven't done such a thing, but we feel this site needs fixing.

What would be the best way to pitch for this contact? I don't want the first contact we make with the company sound like a threat. More a suggestion, but wording that we could take their entire site down in a few minutes isn't going to be an easy thing to portray to a non-techy person.

Write a proposal and email it over? Call them and try and make it sound like a suggestion and not a thread? Take their site down and make it forward to our company site? (that isn't a serious suggestion btw :lol: )

Any help is much appreciated.

Thanks,
Jon

**Zap** · Nov 21st, 2007, 7:06 am

How about a face to face meeting with someone that starts off with...
"Did you know that your website data is vulnerable to..."

People who make threats, wouldn't usually do it in person, so you have the opportunity to help them stay at ease with the news, since you're there to reassure them that you have good intentions.
You're also letting them know that there is a problem and I would even tell them how you intend to fix it.

**chaka42** · Nov 21st, 2007, 7:33 am

Originally Posted by Zap

You're also letting them know that there is a problem and I would even tell them how you intend to fix it.

I wouldn't tell them too much, otherwise, they would just do what you propose.

Still, the work is in convincing the company that their site is broken and that they should pay you to fix it.

**Zap** · Nov 21st, 2007, 7:52 am

Originally Posted by chaka42

I wouldn't tell them too much, otherwise, they would just do what you propose.

Still, the work is in convincing the company that their site is broken and that they should pay you to fix it.

How do you tell them their website is broken without telling them how it's broken?

You have to give a little to get a little.
You never know... they may appreciate the honesty and reward it with the job.

Conversely, if someone comes to me and tells me that something's wrong with my website; they won't tell me what's wrong and won't tell me how the're going to fix it, I would view them as a little bit shady.

**dvduval** · Nov 22nd, 2007, 11:47 am

I think honesty is always the best approach. It doesn't mean you need to show exactly how to exploit it, but you will be doing them a good service telling them about the problem even if you don't get the work. If you handle this well, you will actually build trust, but make sure you are right about this. You won't look good if there is actually no problem at all.

**ewomack** · Nov 28th, 2007, 7:20 pm

You do have to tell them what's wrong and give some specific description, otherwise they'll just blow you off as spam for the paranoid. You can point out the holes and the vulnerabilities and say "we know how to fix it. Can we work with your security group on a consulting basis?" If all goes well they may call you back later. Start small. Don't take over the company on the first job.

**Zap** · Nov 28th, 2007, 7:25 pm

Originally Posted by ewomack

You do have to tell them what's wrong and give some specific description, otherwise they'll just blow you off as spam for the paranoid. You can point out the holes and the vulnerabilities and say "we know how to fix it. Can we work with your security group on a consulting basis?" If all goes well they may call you back later. Start small. Don't take over the company on the first job.

Good advice.

I couldn't take someone seriously if they didn't give me some details.

**axemedia** · Nov 28th, 2007, 10:20 pm

By being upfront with what needs fixing and how gives you an opportunity to display that you're very knowledgeable. While you're at it you can make suggestions on what else could be improved on the site or added to the site that would create real value for the business and their site.

Impress the hell out of them and they are sure to get you to do it instead of themselves or someone else. If they happen to be the type that would just take your suggestions and pass them on to the people that usually take care of their site then, oh well, just move on to the next one.