Dailydave mailing list archives
RE: Pen-Testing Disclosure was Re: Dreaming of Summer
From: "Brass, Phil (ISS Atlanta)" <PBrass () iss net>
Date: Mon, 8 Dec 2003 10:51:12 -0500
My basic comment can be summed up completely with this: Keeping a 0day exploit for yourself to use for pen testing is lame. The only reason for keeping an attack secret would be to gather more business and make yourself look good in the process. Oooh ooh, lookey lookey, I keep getting into every sight I've been contracted to pen test that runs application code XYZ version 1.0. _______________________________________________
If you're one of those "Responsible Disclosure" people, then there's going to be a period between when you notify the vendor and when they make the vulnerability and patch public. During that time, you would legitimately have 0day. You're not keeping it a secret. The vendor, in fact, is keeping it a secret. In the meantime, you're doing your due diligence and letting your customers know everything you know. Since your customer is probably a responsible business entity who has no real interest in advertising the vendor's bug (which they suffer from) until it's fixed, they're not going to go publicising it (plus you should have a two-way NDA, to protect your customer's security and your techniques). If you know of some workaround or fix for the vulnerability, then you can legitimately increase your clients' security, using your own 0day, while performing Responsible Disclosure. Phil _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: Pen-Testing Disclosure was Re: Dreaming of Summer Brass, Phil (ISS Atlanta) (Dec 08)