Penetration Testing mailing list archives

Re: [PEN-TEST] Disclosure policy when performing pentest

From: Etaoin Shrdlu <shrdlu () deaddrop org>
Date: Fri, 24 Nov 2000 07:31:32 -0800

"Masse, Robert" wrote:


Great feedback so far.

Most people seem to think if the vulnerability is 'high' the client
should be told.  How do you draw that line? What is the magic formula
where you say "OK this is bad, you should know now before the report
is submitted" (IE in the style of a function x=a+b+c+d^5).


There are a few things you can use in an algorithmic sort of way.

 o How long is the test supposed to last?
   If the test is of limited length, or is nearing a close, you would
   probably want to wait until after it is over.
 o Is it limited in some way, or inclusive of the entire enterprise?
   Not all tests cover the enterprise. It may be that the area you are
   testing is small enough that the exploited vulnerability is not
   likely to affect much of the enterprise.
 o What will the business cost be (approximately) if the particular
   machine or application is compromised before the completion of
   the test?
   If the vulnerability you found means that the web page can be
   defaced, unless it's CNN you're doing the test for, ignore it.
   That is, of course, unless the web server is not located in a DMZ,
   or provides other services than just http/https.
 o How easy is it to exploit the vulnerability you've found?
   Is it a variety of statd? Is it yet another IIS exploit?
   You might want to actually use the exploit, lock down the machine,
   and continue on. If not, and the standard script monster can get
   in before you finish your tests, you should try to get the worst
   cases locked down before you contine.
 o Is it already exploited?
   This is the most difficult. If you find a machine that already
   appears to have been violated, you really must notify your employer
   (defined here as the person who you are testing), and stop the test
   at once. It is now a case for forensics, not further testing.

I find it curious that most of the replies to this thread have
mostly NOT originated from North America.


I'd remind you that much of NA was distracted with the annual gluttony
day.

--
Real programmers disdain structured programming.  Structured
programming is for compulsive neurotics who were prematurely
toilet-trained.  They wear neckties and carefully line up
pencils on otherwise clear desks.

Current thread:

[PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest andy lowton (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Anders Thulin (Nov 25)
- <Possible follow-ups>
- Re: [PEN-TEST] Disclosure policy when performing pentest Yonatan Bokovza (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest Gallicchio, Florindo (2007) (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 25)
  - Re: [PEN-TEST] Disclosure policy when performing pentest Etaoin Shrdlu (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Complx1 * (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Rudi Opperman (Nov 25)
- [PEN-TEST] Disclosure policy when performing pentest John Millican (Nov 26)
  - Re: [PEN-TEST] Disclosure policy when performing pentest Rob Shein (Nov 28)