Penetration Testing mailing list archives

RE: Things to do before vulnerability disclosure

From: "Alex Eden" <Alex.Eden () senet-int com>
Date: Tue, 16 Jun 2009 11:08:52 -0400

If you discovered something in the course of your normal work duties or
during an engagement, clear it with your superiors first! Get an
authorization in writing! That's a first step.

Second, evaluate your options - do you want to disclose it anonymously or
take credit? If you want credit, work with the respective vendor and
coordinate with them your disclosure. 

Otherwise you may run into some legal issues.

In Germany (and may be some other countries with draconian cyber laws) you
need to be extra careful.

Overall business environment in the US is rather hostile to such disclosures.
Most of my colleagues would not bother disclosing anything discovered in
commercial applications (COTS) during engagements. Think about your personal
situation - is it worth it for you?



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Giuseppe Fuggiano
Sent: Monday, June 15, 2009 2:11 PM
To: pen-test () securityfocus com
Subject: Things to do before vulnerability disclosure

Hi list,

What are, if any, the legal and "ethical" things to do before someone
could publicly disclosure a given vulnerability?

-- 
Giuseppe

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Re: Things to do before vulnerability disclosure, (continued)
- - Re: Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 16)
    - Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 16)
    - Message not available
    - Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 17)
    - Re: Things to do before vulnerability disclosure Aarón Mizrachi (Jun 17)
    - Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 17)
    - Re: Things to do before vulnerability disclosure Jeffrey Walton (Jun 18)
    - Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 18)
    - RE: Things to do before vulnerability disclosure Nick Vaernhoej (Jun 18)
    - RE: Things to do before vulnerability disclosure Paul Melson (Jun 20)
    - RE: Things to do before vulnerability disclosure Paul Melson (Jun 17)
- RE: Things to do before vulnerability disclosure Alex Eden (Jun 16)
- Re: Things to do before vulnerability disclosure nrmaster (Jun 16)
- Re: Things to do before vulnerability disclosure Anthony Cicalla (Jun 16)
- Re: Things to do before vulnerability disclosure noloader (Jun 17)
- Re: Things to do before vulnerability disclosure noloader (Jun 18)
  - Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 18)
  - Re: Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 19)