Penetration Testing mailing list archives

RE: Using 0days as part of pen-test?

From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Thu, 15 Jan 2009 13:10:36 -0500

I'm not sure I agree with this statement.  If I'm testing a client's app and I find a vulnerability, I don't have any 
ethical requirement NOT to tell them.  In fact, they are paying me so it seem like the (to a degree) own the results of 
my testing.  In fact, I would give the client the option to determine how the vendor gets notified.  I've typically 
given the client full information and let them notify the vendor and call me in if needed.

Of course, if I discovered the vulnerability while working for the vendor, that changes things a bit but in this case, 
that doesn't seem to be the issue.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Aarón Mizrachi
Sent: Thursday, January 15, 2009 10:05 AM
To: pen-test () securityfocus com
Subject: Re: Using 0days as part of pen-test?

....snip
I dont know the license of this ftp software, and how you have discovered that
vuln. I think that you must follow the legal way to disclose the vuln (inform
to vendor, wait, and disclose). Until you done the disclose you can't DOCUMENT
this vulnerability on any pentesting...

...snip
That is a good premise for common tech documentation, but, ethically you can't
release any further information of the vulnerability until you complete the
disclosure proccess (it's a delay, sometimes unacceptable delay).








**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.

Current thread:

Re: Using 0days as part of pen-test?, (continued)
- - - Re: Using 0days as part of pen-test? David Howe (Jan 13)
- Re: Using 0days as part of pen-test? Jason Ross (Jan 13)
  - Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? Dotzero (Jan 13)
- Re: Using 0days as part of pen-test? Paul Melson (Jan 13)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 14)
- Re: Using 0days as part of pen-test? Morning Wood (Jan 21)
  - Re: Using 0days as part of pen-test? Jeremy Brown (Jan 21)
- Using 0days as part of pen-test? christopher . riley (Jan 13)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 15)
  - RE: Using 0days as part of pen-test? Shenk, Jerry A (Jan 17)
    - Re: Using 0days as part of pen-test? David Howe (Jan 20)
    - Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 20)
    - Re: Using 0days as part of pen-test? David Howe (Jan 20)
  - Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 17)