Penetration Testing mailing list archives
Re: [PEN-TEST] Disclosure policy when performing pentest
From: Yonatan Bokovza <Yonatan () XPERT COM>
Date: Thu, 23 Nov 2000 20:43:16 +0200
-----Original Message----- From: Masse, Robert [mailto:rmasse () RICHTERSECURITY COM] Sent: Thursday, November 23, 2000 6:00 PM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Disclosure policy when performing pentest What is the general consensus concerning the disclosure of vulnerabilities DURING a pen-test? If you find their web site vulnerable to attack mid-way or at the beginning of your pentest do you tell the client immediately? Or do you wait until the end of the pentest when you publish and submit your report? Before I do a pentest, I usually explain to the client the pros/cons of each way. I let the client decide what is best for his company.
We do much the same. Unless the client requests so, we give him a complete analysis of our findings when the process is through. There are cases where we inform immediately about a problem: Any viral activity we discover in a client's network, either by mail or open Trojan ports. I guess this rule applies whenever we discover that someone else is hacking our target. A different scenario is when we work on something near production when time is of essence, and the client's developers can start solving the problems right away.
I personally prefer to wait until the end since when I am usually performing a pentest, the company is so full of vulnerabilities we will never finish if I would disclose on every major vulnerability. I would rather wait until the end and present the report with a seperate 'immediate to-do list'.
Same for me.
Waiting usually involves about 1 weeks time.
That depends on the scale of the job.
Anyone want to comment on this? Thanks Rob Robert Masse, CISSP Chief Technical Officer Richter Security Inc. 2 Place Alexis Nihon, suite 905 Montreal, Quebec, Canada +514 934 3566 Direct +514 934 3406 Fax
Best Regards, Yonatan Bokovza IT Security Consultant. yonatan () xpert com Xpert Trusted Systems 972-9-9522361 Shenkar 1, Herzlia Pituach Israel.
Current thread:
- [PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest andy lowton (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Anders Thulin (Nov 25)
- <Possible follow-ups>
- Re: [PEN-TEST] Disclosure policy when performing pentest Yonatan Bokovza (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest Gallicchio, Florindo (2007) (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Etaoin Shrdlu (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Complx1 * (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Rudi Opperman (Nov 25)
- [PEN-TEST] Disclosure policy when performing pentest John Millican (Nov 26)
- Re: [PEN-TEST] Disclosure policy when performing pentest Rob Shein (Nov 28)