How to propose a security audit / pen-test
I have discovered some vulnerable websites owned by companies and organizations of my country. These websites have critical vulnerabilities. On some it is possible to do an unauthorized login, on others to run any SQL command and delete/create/modify files, to name a few.
I would like to know how I can approach these organizations and propose a vulnerability assessment on these websites.
- Should I (phone) call them? If so, what should I say?
- Should I write a letter? If so, what should be the template and contents?
And what about a (full) security audit?
If you know of a website or book that addresses these issues I would appreciate!
NOTE: I am very interested in how to contact them and sign a contract ($$$) with them.
I think it is a big oportunity for me to make some $. I don't know anyone else who can help them and I am sure they don't know how to fix the vulnerabilities.