Penetration Testing mailing list archives
Re: [PEN-TEST] Disclosure policy when performing pentest
From: Rob Shein <rshein () mail wash averstar com>
Date: Mon, 27 Nov 2000 15:39:46 -0500
This is a judgment call that is not subject to being decided by a formula. This is a call that should be made by client because only they can decide the kind and level of risk they are willing to incur. This should be resolved before the penetration test begins, and the client should provide the guidelines. If a formula-like process is used to develop the guidelines, fine.
Very true, but I think that another variable to this judgement call is being missed: the client. Some clients are welcoming and cooperative to vulnerability assessments and pen-tests, and therefore can be counted upon to react rationally to advance warning before the final report. On the other hand, there are situations where the staff, for reasons that range from personal hubris to a work environment that makes them fear for their jobs, is not quite so cooperative, and where I've even been afraid to release information in advance lest there be attempts to discredit the work (aka, the point of contact who feels threatened closes vulnerabilities and then states that it had never been present). This, to me, comes down to an almost darwinian view of things, where friendliness towards consultants brought in to help harden and defend a network is a survival trait (hmm...symbiosis?). Ethically, I think that serious holes and vulnerabilities should be brought to light immediately, but practically thinking, I don't think that to be an absolute, and I certainly will not hazard myself or my co-workers if I think that there is a risk to releasing results or findings before everyone is in the room together.
That's because those of us in the US would rather watch a good ethical battle than participate in one. Witness Florida.
Now, now, now...this is the "pen-test" list, not the "hey, let's get the whole country together to tell one state how to run their share of the electoral college" list :)
Current thread:
- [PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest andy lowton (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Anders Thulin (Nov 25)
- <Possible follow-ups>
- Re: [PEN-TEST] Disclosure policy when performing pentest Yonatan Bokovza (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest Gallicchio, Florindo (2007) (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Etaoin Shrdlu (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Complx1 * (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Rudi Opperman (Nov 25)
- [PEN-TEST] Disclosure policy when performing pentest John Millican (Nov 26)
- Re: [PEN-TEST] Disclosure policy when performing pentest Rob Shein (Nov 28)