Penetration Testing mailing list archives
RE: Using 0days as part of pen-test?
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Thu, 15 Jan 2009 13:10:36 -0500
I'm not sure I agree with this statement. If I'm testing a client's app and I find a vulnerability, I don't have any ethical requirement NOT to tell them. In fact, they are paying me so it seem like the (to a degree) own the results of my testing. In fact, I would give the client the option to determine how the vendor gets notified. I've typically given the client full information and let them notify the vendor and call me in if needed. Of course, if I discovered the vulnerability while working for the vendor, that changes things a bit but in this case, that doesn't seem to be the issue. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Aarón Mizrachi Sent: Thursday, January 15, 2009 10:05 AM To: pen-test () securityfocus com Subject: Re: Using 0days as part of pen-test? ....snip I dont know the license of this ftp software, and how you have discovered that vuln. I think that you must follow the legal way to disclose the vuln (inform to vendor, wait, and disclose). Until you done the disclose you can't DOCUMENT this vulnerability on any pentesting... ...snip That is a good premise for common tech documentation, but, ethically you can't release any further information of the vulnerability until you complete the disclosure proccess (it's a delay, sometimes unacceptable delay). **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
Current thread:
- Re: Using 0days as part of pen-test?, (continued)
- Re: Using 0days as part of pen-test? David Howe (Jan 13)
- Re: Using 0days as part of pen-test? Jason Ross (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? Dotzero (Jan 13)
- Re: Using 0days as part of pen-test? Paul Melson (Jan 13)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 14)
- Re: Using 0days as part of pen-test? Morning Wood (Jan 21)
- Re: Using 0days as part of pen-test? Jeremy Brown (Jan 21)
- Using 0days as part of pen-test? christopher . riley (Jan 13)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 15)
- RE: Using 0days as part of pen-test? Shenk, Jerry A (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 20)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- RE: Using 0days as part of pen-test? Shenk, Jerry A (Jan 17)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 17)