Penetration Testing mailing list archives
[PEN-TEST] Disclosure policy when performing pentest
From: John Millican <john () NCTECH ORG>
Date: Sat, 25 Nov 2000 10:59:30 -0500
1) Most people seem to think if the vulnerability is 'high' the client should be told. How do you draw that line? What is the magic formula where you say "OK this is bad, you should know now before the report is submitted" (IE in the style of a function x=a+b+c+d^5). This is a judgment call that is not subject to being decided by a formula. This is a call that should be made by client because only they can decide the kind and level of risk they are willing to incur. This should be resolved before the penetration test begins, and the client should provide the guidelines. If a formula-like process is used to develop the guidelines, fine. 2) I find it curious that most of the replies to this thread have mostly NOT originated from North America. That's because those of us in the US would rather watch a good ethical battle than participate in one. Witness Florida. John M. Millican New Concept Technologies john () nctech org
Current thread:
- [PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest andy lowton (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Anders Thulin (Nov 25)
- <Possible follow-ups>
- Re: [PEN-TEST] Disclosure policy when performing pentest Yonatan Bokovza (Nov 24)
- Re: [PEN-TEST] Disclosure policy when performing pentest Gallicchio, Florindo (2007) (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Masse, Robert (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Etaoin Shrdlu (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Complx1 * (Nov 25)
- Re: [PEN-TEST] Disclosure policy when performing pentest Rudi Opperman (Nov 25)
- [PEN-TEST] Disclosure policy when performing pentest John Millican (Nov 26)
- Re: [PEN-TEST] Disclosure policy when performing pentest Rob Shein (Nov 28)