Penetration Testing mailing list archives
RE: Full Disclosure of Security Vulnerabilities
From: "Security Department, anjiTech Data Solutions LLC" <security () anjitech com>
Date: Fri, 2 Nov 2007 21:46:00 +0100
As a long-time IT contractor: If you were hired to pen-test, found a vulnerability, and then released the vulnerability public, you'd best make sure your contract would stand in court to allow you to do so. If not, you are in for one heckuva law suit, one which you would not most likely win. Morality and security and everything aside, they hired you to do the test, they did not hire you to disclose the results to anyone but them. You need to let the individuals know of the vulnerability in the most official manner possible under the auspices of your contract and ensure they respond officially in kind. This can come back and bite you if you don't, it doesn't take much to say "you never told us, we didn't know" if you don't COA. An exploit that affects thousands of clients will cost them mucho bucks, and as with most corporations, they are always looking for ways to push that expense off on someone else. If you have any doubts what-so-ever, talk to a lawyer, and one who knows what you are talking about. Opinions are fantastic, but they do NOT pay the damages assessed in a court of law. GET EVERYTHING IN WRITING WHEN DEALING CONTRACTUALLY!!! Anything less is...a vulnerability... Jim -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of jfvanmeter () comcast net Sent: Mittwoch, 31. Oktober 2007 18:00 To: pen-test () securityfocus com Subject: Full Disclosure of Security Vulnerabilities Hello Everyone, I would llike to get your thoughts on Full Disclosure of Security Vulnerabilities . About 3 weeks ago during a per-test of a software suite for a client of myine, I found a directory traversal in a software suite that my client has installed on thousands of workstation. I send screen shots and a packet capture to the vendor and they were able to to recreate the exploit. my cleint doesn't want to go public with it because of the thousands of workstations and servers that its installed on. I also don't believe the vendor will go public with it, what would you all do? Best Regards --John ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Full Disclosure of Security Vulnerabilities Mike Hale (Nov 01)
- <Possible follow-ups>
- Re: Full Disclosure of Security Vulnerabilities jfvanmeter (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities Junaid (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities Don Miesle (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities jfvanmeter (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities Patrick J Kobly (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities mlevenstein (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities jfvanmeter (Nov 01)
- RE: Full Disclosure of Security Vulnerabilities Security Department, anjiTech Data Solutions LLC (Nov 06)