Penetration Testing mailing list archives
Re: Full Disclosure of Security Vulnerabilities
From: mlevenstein () spohncentral com
Date: 1 Nov 2007 13:11:31 -0000
With thousands of installations of this product, your client should address the issue with the vendor and insist on a patch. Since the vendor has already worked with you on recreating the exploit and testing, perhaps the vendor is working on a patch. (They may plan to announce the vulnerability only when they release the fix for it.) As to your client, you owe them disclosure of the security hole. But you would be working against the client's interests to make the issue public. The question is: Do you have fiduciary responsibility to the client? If so, you must put their interests first. Publicly disclosing that a software they use is seriously flawed could harm your client's business (and your reputation as an auditor). Just my thoughts on the matter. I'm new to pen-testing and learning the business rules. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Full Disclosure of Security Vulnerabilities Mike Hale (Nov 01)
- <Possible follow-ups>
- Re: Full Disclosure of Security Vulnerabilities jfvanmeter (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities Junaid (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities Don Miesle (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities jfvanmeter (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities Patrick J Kobly (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities mlevenstein (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities jfvanmeter (Nov 01)
- RE: Full Disclosure of Security Vulnerabilities Security Department, anjiTech Data Solutions LLC (Nov 06)