Re: [PEN-TEST] Disclosure policy when performing pentest

[Complx1 * <complx1 () HUSHMAIL COM>]

Last weekend myself and an partner were performing our first pentest
for the consulting company we work for.
it began on a friday, and was to go through till wednesday,  minus
the weekend time, and all internal.
on friday we discovered their web server had unicode vulnerability.

In coming in saturday, the person who ordered the pen test asked
for a "briefing on our progress" , in not wanting to give away all our work
info in an hour and blow the whole process i told him his w3 server
had server vulnerability and that we would include it , and the rest in
the
report.

he mumbled,  "the web server?  heh , the one that was hacked?"

I say,   "what?  when did this happen"

Yesterday.

In my opinion,  anonymously , remote vulnerabilities might take priority
in early disclosure.
However, it was the incident itself that proved how much they needed
the test we were performing.

they took a hit, mid way.. and felt the sting.

which will be a unique dilemma in itself, and a lesson for
us in our first pen test ( ps: thanks for all the advice and quality
informatiaon that comes from this list.)

cost of new firewall $1000

cost for new sysadmin $50,000

feeling of not getting hacked,  priceless

-the jedi boogie knights


At Fri, 24 Nov 2000 09:01:43 +0200, Rudi Opperman <ropperman () DELOITTE CO ZA>
wrote:

> Hi
>
> > From my perspective it depends on the severity of the exploit.  If
> a
> remotely & anonymously exploitable vulnerability is found active in
> a
> revenue generating system we inform the client immediately.  If they
> were
> compromised and we knew the hole but just kept quite ... probably bad
> for
> business, yours and theirs.
>
> Just my 2c worth
> (at least 15 ZA cents!)
>
> Bye
> Rudi
>
> -----Original Message-----
> From: Masse, Robert [mailto:rmasse () RICHTERSECURITY COM]
> Sent: 23 November 2000 06:00
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: [PEN-TEST] Disclosure policy when performing pentest
>
>
> What is the general consensus concerning the disclosure of vulnerabilities
> DURING a pen-test?
>
> If you find their web site vulnerable to attack mid-way or at the beginning
> of your pentest do you tell the client immediately?  Or do you wait
> until
> the end of the pentest when you publish and submit your report?
>
> Before I do a pentest, I usually explain to the client the pros/cons
> of each
> way.  I let the client decide what is best for his company.
>
> I personally prefer to wait until the end since when I am usually performing
> a pentest, the company is so full of vulnerabilities we will never finish
> if
> I would disclose on every major vulnerability.  I would rather wait
> until
> the end and present the report with a seperate 'immediate to-do list'.
> Waiting usually involves about 1 weeks time.
>
> Anyone want to comment on this?
>
> Thanks
>
> Rob
>
>
>
> Robert Masse, CISSP
> Chief Technical Officer
>
> Richter Security Inc.
> 2 Place Alexis Nihon, suite 905
> Montreal, Quebec, Canada
> +514 934 3566 Direct
> +514 934 3406 Fax