RE: Pen-Testing Disclosure was Re: Dreaming of Summer

["Brass, Phil (ISS Atlanta)" <PBrass () iss net>]

> My basic comment can be summed up completely with this:  
> Keeping a 0day exploit 
> for yourself to use for pen testing is lame.  The only reason 
> for keeping an 
> attack secret would be to gather more business and make 
> yourself look good in 
> the process.  Oooh ooh, lookey lookey, I keep getting into 
> every sight I've 
> been contracted to pen test that runs application code XYZ 
> version 1.0. _______________________________________________

If you're one of those "Responsible Disclosure" people, then there's
going to be a period between when you notify the vendor and when they
make the vulnerability and patch public.  During that time, you would
legitimately have 0day.  You're not keeping it a secret.  The vendor, in
fact, is keeping it a secret.  

In the meantime, you're doing your due diligence and letting your
customers know everything you know.  Since your customer is probably a
responsible business entity who has no real interest in advertising the
vendor's bug (which they suffer from) until it's fixed, they're not
going to go publicising it (plus you should have a two-way NDA, to
protect your customer's security and your techniques).  If you know of
some workaround or fix for the vulnerability, then you can legitimately
increase your clients' security, using your own 0day, while performing
Responsible Disclosure.

Phil
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave