Jon, This is a message directed more to your company's incident response team that to you, but I don't know how to reach them. I hope they follow Bugtraq, or that you forward the message. Jon W <jonw@ripco.com> writes: > I work at Bank of America. I asked our incident-response team, and > they would like the BUGTRAQ community to know that > abuse@bankofamerica.com is monitored for reports by real security > admins. > > So that would be the main point of contact for reports. Let's say that you didn't happen to be monitoring Bugtraq. How does someone not associated with your company find the right point of contact information for reporting security problems to your company? I quickly searched BoA's web site and couldn't find anything that pointed to the e-mail address you mention. I found information on how to report a lost or stolen ATM, check, and credit cards, how to handle identity theft, but nothing on how to report, for example, a vulnerability in a BoA web application. Please correct me if I missed the obvious. In other words, it seems fairly easy for a customer to find information on how to report fraud, but it is not easy for a security researcher (or even a regular customer) to find information on how to report vulnerabilities in the company's infrastructure. This type of information should be provided in a very prominent place at the company's website. Cheers, Eloy.-
