Penetration Testing mailing list archives

RE: Follow up on "How much do you disclose to customers?"

From: "Rob Shein" <shoten () starpower net>
Date: Wed, 7 Jan 2004 18:40:37 -0500

That slashdot post talks about something entirely different.  The vendor in
question didn't come up with a list of vulnerabilities that were bad...they
pointed at the sole security engineer as the vulnerability himself.
Furthermore, they then moved in to replace him.  This is rather a no-no in
terms of the OSTMM, for obvious reasons.  It's one thing if a company reacts
or even overreacts to a report of factual findings (an open port is an open
port, regardless of office politics or the sales quota of a vendor) and
fires someone, it's another thing if the company producing the report goes
so far over the line as to state that an employee of another organization is
to blame for insecurity.  I don't feel that if this vendor got sued that I'd
be nervous about legal risk when handing over a report done my way.

-----Original Message-----
From: ethanpreston () ziplip com [mailto:ethanpreston () ziplip com] 
Sent: Tuesday, January 06, 2004 5:21 PM
To: pen-test () securityfocus com
Subject: Follow up on "How much do you disclose to customers?"

The list previously hashed out the pros and cons of informing 
the client's entire personnel about the coming pen-test. One 
of the issues that came up was the potential for the client's 
employed security staff to use the advance notice to game the 
results and skew the test results: 
http://seclists.org/lists/pen-> test/2003/Dec/0105.html

How 
does the pen-test community on 
this list deal with possibility of legal reprisal from the 
client's employees? No matter what contractual liability 
limitations you can negotiate with the client, that won't 
extend to an employee that gets canned because one's report 
paints them in an incompetant light.

I think there's a slashdot post on this topic (from the other 
side), where at least some of the posters start muttering for 
legal action. 
http://ask.slashdot.org/article.pl?sid=03/12/19/0456221&mode=t

hread&tid=126&tid=163

Cheers,

Ethan

---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Follow up on "How much do you disclose to customers?" ethanpreston (Jan 07)
- RE: Follow up on "How much do you disclose to customers?" Rob Shein (Jan 08)
- <Possible follow-ups>
- RE: Follow up on "How much do you disclose to customers?" ethanpreston (Jan 08)