After playing a little with Vega - I'm newbie in web auditions, just trying to learning something new - and auditing some websites I can see that 8/10 websites have SQL Injection vulnerabilities classified by Vega as High. What should I do here? Email the website owner?
I would be very, very, very careful here. Not sure what country you're in, but you're setting yourself up for possible legal action, even though your intentions are good.
That's why I was careful to say that you should offer tips to fix the issue, not ask for money to do so. As for the second part (offering to do a security audit), I don't see how that's any different from cold-emailing someone with a proposal to redesign their site.
