Penetration Testing mailing list archives
Re: Using 0days as part of pen-test?
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Mon, 19 Jan 2009 14:34:52 +0000
Shenk, Jerry A wrote:
I'm not sure I agree with this statement. If I'm testing a client's app and I find a vulnerability, I don't have any ethical requirement NOT to tell them. In fact, they are paying me so it seem like the (to a degree) own the results of my testing. In fact, I would give the client the option to determine how the vendor gets notified. I've typically given the client full information and let them notify the vendor and call me in if needed.
Seconded. You have no legal requirement (although it's Best Practice) to follow the Responsible Disclosure procedures, but you can make a reasonable case that, if you are being paid by your client and not the software vendor, that you have a duty to disclose any or all material vulnerability information (under NDA if appropriate) you discover during your investigation. I know a lot of vendors try the "no announcements, no disclosures, no reviews without permission" approach, but that isn't binding on you unless you are *their* customer - of course, you can (and they probably will) try claiming that the agreement is binding on subcontractors of customers, but I doubt they can claim that holds true when communicating your "concerns" to your employer (i.e. if your only duty of non-disclosure is as an employee of 'x', then disclosing to 'x' can't possibly be in violation of that duty, as you are an employee of 'x' and therefore any info is already the property of 'x' - they can't have it both ways)
Current thread:
- Re: Using 0days as part of pen-test?, (continued)
- Re: Using 0days as part of pen-test? Jason Ross (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? Dotzero (Jan 13)
- Re: Using 0days as part of pen-test? Paul Melson (Jan 13)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 14)
- Re: Using 0days as part of pen-test? Morning Wood (Jan 21)
- Re: Using 0days as part of pen-test? Jeremy Brown (Jan 21)
- Using 0days as part of pen-test? christopher . riley (Jan 13)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 15)
- RE: Using 0days as part of pen-test? Shenk, Jerry A (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 20)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- RE: Using 0days as part of pen-test? Shenk, Jerry A (Jan 17)
- Re: Using 0days as part of pen-test? Jason Ross (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 17)