RE: Full Disclosure of Security Vulnerabilities

["Security Department, anjiTech Data Solutions LLC" <security () anjitech com>]

As a long-time IT contractor:

If you were hired to pen-test, found a vulnerability, and then released the
vulnerability public, you'd best make sure your contract would stand in
court to allow you to do so. If not, you are in for one heckuva law suit,
one which you would not most likely win. Morality and security and
everything aside, they hired you to do the test, they did not hire you to
disclose the results to anyone but them.

You need to let the individuals know of the vulnerability in the most
official manner possible under the auspices of your contract and ensure they
respond officially in kind. This can come back and bite you if you don't, it
doesn't take much to say "you never told us, we didn't know" if you don't
COA.

An exploit that affects thousands of clients will cost them mucho bucks, and
as with most corporations, they are always looking for ways to push that
expense off on someone else.

If you have any doubts what-so-ever, talk to a lawyer, and one who knows
what you are talking about. Opinions are fantastic, but they do NOT pay the
damages assessed in a court of law.

GET EVERYTHING IN WRITING WHEN DEALING CONTRACTUALLY!!! Anything less is...a
vulnerability...

Jim

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of jfvanmeter () comcast net
Sent: Mittwoch, 31. Oktober 2007 18:00
To: pen-test () securityfocus com
Subject: Full Disclosure of Security Vulnerabilities 


 Hello Everyone, I would llike to get your thoughts on Full Disclosure of
Security Vulnerabilities . About 3 weeks ago during a per-test of a software
suite for a client of myine, I found a directory traversal in a software
suite that my client has installed on thousands of workstation. 

I send screen shots and a packet capture to the vendor and they were able to
to recreate the exploit.

my cleint doesn't want to go public with it because of the thousands of
workstations and servers that its installed on. I also don't believe the
vendor will go public with it, what would you all do? 

Best Regards --John

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------