Penetration Testing mailing list archives

Re: [PEN-TEST] Disclosure policy when performing pentest

From: "Masse, Robert" <rmasse () RICHTERSECURITY COM>
Date: Fri, 24 Nov 2000 09:46:11 -0500

Great feedback so far.

1)

Most people seem to think if the vulnerability is 'high' the client should
be told.  How do you draw that line? What is the magic formula where you say
"OK this is bad, you should know now before the report is submitted" (IE in
the style of a function x=a+b+c+d^5).

2)

I find it curious that most of the replies to this thread have mostly NOT
originated from North America.

Rob



Robert Masse, CISSP
Chief Technical Officer

Richter Security Inc.
2 Place Alexis Nihon, suite 905
Montreal, Quebec, Canada
+514 934 3566 Direct
+514 934 3406 Fax


-----Original Message-----
From: Anders Thulin [mailto:Anders.X.Thulin () TELIA SE]
Sent: Friday, November 24, 2000 2:50 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Disclosure policy when performing pentest


"Masse, Robert" wrote:

I personally prefer to wait until the end since when I am usually

performing

a pentest, the company is so full of vulnerabilities we will never finish

if

I would disclose on every major vulnerability.


  It makes a certain sense to decide beforehand if there are any highly
sensitive systems or networks involved in the test, and report important
vulnerabilities found in them as quickly as possible.

  Sooner or later the lag between discovery and report will result in
a vulnerability being exploited before a report is made. If the likely
damage
is high -- say, several times the cost of the pen test -- that time must be
kept short.

  The client is (or should be) in the best position to decide which systems
or
networks are sensitive enough; the pen-tester in the best position to decide
how serious the vulnerability is, with regard to the exposure the particular
system actually has.

  The professional pen-tester needs to assess both the risk to his
client's business *as*well*as* the risk to his own. Of course, it's
never a question of blindly following a rule, as it never can be when
... well, call it expertise ... is involved.

  Well, IMO, anyway.
--
Anders Thulin     Anders.X.Thulin () telia se     040-10 50 63
Telia Prosoft AB,   Box 85,   S-201 20 Malmö,   Sweden

Current thread:

[PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest andy lowton (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Anders Thulin (Nov 25)
- <Possible follow-ups>
- Re: [PEN-TEST] Disclosure policy when performing pentest Yonatan Bokovza (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest Gallicchio, Florindo (2007) (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 25)
  - Re: [PEN-TEST] Disclosure policy when performing pentest Etaoin Shrdlu (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Complx1 * (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Rudi Opperman (Nov 25)
- [PEN-TEST] Disclosure policy when performing pentest John Millican (Nov 26)
  - Re: [PEN-TEST] Disclosure policy when performing pentest Rob Shein (Nov 28)