Re: [PEN-TEST] Disclosure policy when performing pentest

[Rob Shein <rshein () mail wash averstar com>]

> This is a judgment call that is not subject to being decided by a formula.
> This is a call that should be made by client because only they can decide
> the kind and level of risk they are willing to incur.  This should be
> resolved before the penetration test begins, and the client should provide
> the guidelines.  If a formula-like process is used to develop the
> guidelines, fine.

Very true, but I think that another variable to this judgement call is being
missed: the client.  Some clients are welcoming and cooperative to
vulnerability assessments and pen-tests, and therefore can be counted upon
to react rationally to advance warning before the final report.  On the
other hand, there are situations where the staff, for reasons that range
from personal hubris to a work environment that makes them fear for their
jobs, is not quite so cooperative, and where I've even been afraid to
release information in advance lest there be attempts to discredit the work
(aka, the point of contact who feels threatened closes vulnerabilities and
then states that it had never been present).  This, to me, comes down to an
almost darwinian view of things, where friendliness towards consultants
brought in to help harden and defend a network is a survival trait
(hmm...symbiosis?).  Ethically, I think that serious holes and
vulnerabilities should be brought to light immediately, but practically
thinking, I don't think that to be an absolute, and I certainly will not
hazard myself or my co-workers if I think that there is a risk to releasing
results or findings before everyone is in the room together.


> That's because those of us in the US would rather watch a good ethical
> battle than participate in one.  Witness Florida.

Now, now, now...this is the "pen-test" list, not the "hey, let's get the
whole country together to tell one state how to run their share of the
electoral college" list :)