Penetration Testing mailing list archives
Re: [PEN-TEST] Disclosure policy when performing pentest
From: "Gallicchio, Florindo (2007)" <florindo.gallicchio () ESAVIO COM>
Date: Thu, 23 Nov 2000 18:46:36 -0500
Rob: In almost every instance, I believe it is imperative to let the client know immediately of any vulnerability that can be exploited relatively "easily" to penetrate the network (or individual server). I do this because the probability of someone else finding that vulnerability is pretty high. If, however, like in your case where there are so many vulnerabilities all lumped together, I may tell the client to do something higher-level to at least "get them over the hump" until they can better address each vulnerability. For example, I may advise the client to use a firewall rule or router ACL entry to block a certain vulnerable service, or perhaps have the client alter a certain OS parameter, provided that doing this doesn't prohibit the mission of the server itself. Since we provide specific fixes for each vulnerability and teach the client how to make those fixes themselves, it fits our operating model to help them as we find each high-risk problem. It's a case-by-case issue for me, but it's almost always an immediate notification, especially if I successfully penetrate the network or server. Florindo Florindo Gallicchio VP, Business Development, Information Security esavio florindo.gallicchio () esavio com -----Original Message----- From: Masse, Robert To: PEN-TEST () SECURITYFOCUS COM Sent: 11/23/00 11:00 AM Subject: [PEN-TEST] Disclosure policy when performing pentest What is the general consensus concerning the disclosure of vulnerabilities DURING a pen-test? If you find their web site vulnerable to attack mid-way or at the beginning of your pentest do you tell the client immediately? Or do you wait until the end of the pentest when you publish and submit your report? Before I do a pentest, I usually explain to the client the pros/cons of each way. I let the client decide what is best for his company. I personally prefer to wait until the end since when I am usually performing a pentest, the company is so full of vulnerabilities we will never finish if I would disclose on every major vulnerability. I would rather wait until the end and present the report with a seperate 'immediate to-do list'. Waiting usually involves about 1 weeks time. Anyone want to comment on this? Thanks Rob Robert Masse, CISSP Chief Technical Officer Richter Security Inc. 2 Place Alexis Nihon, suite 905 Montreal, Quebec, Canada +514 934 3566 Direct +514 934 3406 Fax
Current thread:
- [PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest andy lowton (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Anders Thulin (Nov 25)
- <Possible follow-ups>
- Re: [PEN-TEST] Disclosure policy when performing pentest Yonatan Bokovza (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest Gallicchio, Florindo (2007) (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Etaoin Shrdlu (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Complx1 * (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Rudi Opperman (Nov 25)
- [PEN-TEST] Disclosure policy when performing pentest John Millican (Nov 26)
- Re: [PEN-TEST] Disclosure policy when performing pentest Rob Shein (Nov 28)