Re: [PEN-TEST] Disclosure policy when performing pentest

[Rudi Opperman <ropperman () DELOITTE CO ZA>]

Hi

> From my perspective it depends on the severity of the exploit.  If a
remotely & anonymously exploitable vulnerability is found active in a
revenue generating system we inform the client immediately.  If they were
compromised and we knew the hole but just kept quite ... probably bad for
business, yours and theirs.

Just my 2c worth
(at least 15 ZA cents!)

Bye
Rudi

-----Original Message-----
From: Masse, Robert [mailto:rmasse () RICHTERSECURITY COM]
Sent: 23 November 2000 06:00
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Disclosure policy when performing pentest


What is the general consensus concerning the disclosure of vulnerabilities
DURING a pen-test?

If you find their web site vulnerable to attack mid-way or at the beginning
of your pentest do you tell the client immediately?  Or do you wait until
the end of the pentest when you publish and submit your report?

Before I do a pentest, I usually explain to the client the pros/cons of each
way.  I let the client decide what is best for his company.

I personally prefer to wait until the end since when I am usually performing
a pentest, the company is so full of vulnerabilities we will never finish if
I would disclose on every major vulnerability.  I would rather wait until
the end and present the report with a seperate 'immediate to-do list'.
Waiting usually involves about 1 weeks time.

Anyone want to comment on this?

Thanks

Rob



Robert Masse, CISSP
Chief Technical Officer

Richter Security Inc.
2 Place Alexis Nihon, suite 905
Montreal, Quebec, Canada
+514 934 3566 Direct
+514 934 3406 Fax