Penetration Testing mailing list archives
Re: [PEN-TEST] Disclosure policy when performing pentest
From: andy lowton <andy () DRAGONFLY DEMON CO UK>
Date: Thu, 23 Nov 2000 22:41:37 +0000
I think you have raised an interesting issue. We have found that if you disclose what you are finding as you go along, sys admins will start fixing the problems. This is great if they do it right, but they often change other things as well. What you should do then is re-test the box as the results you got are now invalid, but when you are testing a huge network this is not possible in the limited time available. On the other hand if you say nothing about phf on an Internet web server and it gets 0wned before you get round to writing the report....... At the end of the day, I think it depends on the severity of the problem and you have to play it by ear. Cheers andy --------------------------------------- E-Mail: andy () dragonfly demon co uk PGP/GnuPG Key available on request Cultivating a healthy uptime addiction ---------------------------------------
Current thread:
- [PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest andy lowton (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Anders Thulin (Nov 25)
- <Possible follow-ups>
- Re: [PEN-TEST] Disclosure policy when performing pentest Yonatan Bokovza (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest Gallicchio, Florindo (2007) (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Etaoin Shrdlu (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Complx1 * (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Rudi Opperman (Nov 25)
- [PEN-TEST] Disclosure policy when performing pentest John Millican (Nov 26)
- Re: [PEN-TEST] Disclosure policy when performing pentest Rob Shein (Nov 28)