Abstract:Outlaw hackers often dump lists of vulnerable websites on Pastebin and other public repositories. Many companies are unaware of their security problems, and also unaware that they are now publicly exposed. And in many cases, the organizations at risk are high-level government sites or law enforcement agencies, entrusted with confidential data which can do great harm if it is exposed. What is the best response to this dangerous situation? One option is to simply do nothing, and let them get hacked. But I prefer to take direct action and attempt to help these people. After a small pilot study I did alone, I gave this "Cold Calls" project to my CISSP students as a class project, with excellent results. Many security problems have been resolved, and none of the companies we contacted have complained at all. I will present our techniques, our results, and recommendations for others who may want to do similar actions. The key is careful, polite communication.