Would you pay as a website owner to be made aware that your website is

Forum Moderators: phranque

Message Too Old, No Replies

Would you pay as a website owner to be made aware that your website is

security,website security

webworxs

1:43 pm on Sep 15, 2015 (gmt 0)

As part of doing research on the possibility of offering security services for small to medium businesses operating online we are posing these questions to you:

1) Would you pay or not if you were contacted by a security researcher explaining that they believe(and can prove with permission) that you have a security hole in your code? The nature of the problem with your website is causing your source code to be leaked to the world. Source code that may or may not contain login details to other services, either FTP,MySQL etc.
2) Considering that website security audits price range from $40 - $10 000 and vary greatly depending on quality of service, how much would you pay if the researcher can prove to access source code of your website and provide a solution to remedy the problem?
3) Do you believe that the popularity of the website would determine the increase in asking price?

Leosghost

2:08 pm on Sep 15, 2015 (gmt 0)

how much would you pay if the researcher can prove to access source code of your website and provide a solution to remedy the problem?

Security penetration "testing" without prior authorisation ..is illegal almost everywhere..

You might want to rethink your business model..

As it stands you are likely to face court / jail time for hacking and or blackmail..

The first potential customer who goes to the police after your contact ( or before if they notice you in their site back end ) will likely result in your wardrobe changing to orange ( or your local jurisdiction's equivalent ) ..and your "friends" and neighbours suddenly becoming exclusively all the same sex as yourself..

topr8

3:06 pm on Sep 15, 2015 (gmt 0)

Leosghost you certainly have a way with words! very eloquently put.

@webworxs i think there is a need for security consultants for SME's as they often don't prioritise security, either through unwillingness to spend or sheer ignorance.
finding customers who are willing to pay is the difficult part for all businesses.

i can't really offer a really good way of getting such business as i don't know.
as you know you can search google for tell tale phrases - usually error messages, which indicate potential security holes.
perhaps you could email webmasters with a link to google/bing serps showing the error messages for their sites and explaining that although you haven't actually yet tested example.com, it would seem the site might have security holes and you specialise in plugging and repairing such holes?

as for question (3), although it would seem a more popular website could be made to pay more, if you are looking at establishing a real business that is ongoing, then being seen to have a fair pricing policy is probably a better strategy. eg. the same price for the same work (irrelevant of who the customer is), although bearing in mind that bigger more popular websites may well involve more work than smaller ones ... not all jobs are infact equal.

re question (1) ... for myself personally, cold callers put my back up, and especially so in the case of security etc, to me i smell a rat in such situations. i personally would be inclined to listen to what the caller said and then contact someone else to verify the situation and if it was true to then look for someone to repair it (eg not using the company that contacted me).

lucy24

8:19 pm on Sep 15, 2015 (gmt 0)

Would you pay or not if you were contacted by

You're kidding, right? Under what circumstances would anyone ever pay if they were cold-contacted by anyone other than the government, ahem asking for money?

Best-case response: letter goes straight into the recycling bin.
Worst-case response: ... comes not from the recipient but from the relevant law-enforcement body.