Re: [PEN-TEST] finding offensive material

[Laudon Williams <eldub () POBOX COM>]

I look at it as a fairly straight forward issue. If this is a straight
pen-test (no policy component), then I'd just let it go, unless they have
some type of control in place and it is being circumvented. If I had a good
relationship with someone at the company, I might let them know off the
record. If this is a straight pen-test, it seems to be clearly out of scope
(least the way I scope these).

If the company lacks policy, this will cause a stir that they may not know
how to deal with. If you don't plan to offer "expert" advice on how to solve
these types of issues with proper policy and controls, it seems kinda like
pitching a grenade over the wall and leaving someone else to deal with it.

On the other hand, if you are fluent in the legal implications and writing
appropriate policies, drive on.

-LW



-> -----Original Message-----
-> From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
-> Of Sheila
-> Sent: Tuesday, March 06, 2001 12:05 PM
-> To: PEN-TEST () SECURITYFOCUS COM
-> Subject: [PEN-TEST] finding offensive material
->
->
-> hello,
-> If during penetration testing files are found on easily
-> accessible business
-> shares that  could be defined as either sexually or racially
-> offensive, how
-> should that be  presented in the finding in the final report. I
-> assume this
-> could leave a company open to law suite concerning hostile work
-> environment,
->
-> Sheila Soulia