Penetration Testing mailing list archives
RE: Things to do before vulnerability disclosure
From: "Alex Eden" <Alex.Eden () senet-int com>
Date: Tue, 16 Jun 2009 11:08:52 -0400
If you discovered something in the course of your normal work duties or during an engagement, clear it with your superiors first! Get an authorization in writing! That's a first step. Second, evaluate your options - do you want to disclose it anonymously or take credit? If you want credit, work with the respective vendor and coordinate with them your disclosure. Otherwise you may run into some legal issues. In Germany (and may be some other countries with draconian cyber laws) you need to be extra careful. Overall business environment in the US is rather hostile to such disclosures. Most of my colleagues would not bother disclosing anything discovered in commercial applications (COTS) during engagements. Think about your personal situation - is it worth it for you? -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Giuseppe Fuggiano Sent: Monday, June 15, 2009 2:11 PM To: pen-test () securityfocus com Subject: Things to do before vulnerability disclosure Hi list, What are, if any, the legal and "ethical" things to do before someone could publicly disclosure a given vulnerability? -- Giuseppe ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Things to do before vulnerability disclosure, (continued)
- Re: Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 16)
- Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 16)
- Message not available
- Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 17)
- Re: Things to do before vulnerability disclosure Aarón Mizrachi (Jun 17)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 17)
- Re: Things to do before vulnerability disclosure Jeffrey Walton (Jun 18)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 18)
- RE: Things to do before vulnerability disclosure Nick Vaernhoej (Jun 18)
- RE: Things to do before vulnerability disclosure Paul Melson (Jun 20)
- Re: Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 16)
- RE: Things to do before vulnerability disclosure Paul Melson (Jun 17)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 18)
- Re: Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 19)