Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] Disclosure policy when performing pentest

Re: [PEN-TEST] Disclosure policy when performing pentest

From: andy lowton <andy_at_DRAGONFLY.DEMON.CO.UK>
Date: Thu, 23 Nov 2000 22:41:37 +0000

I think you have raised an interesting issue. We have found that if you
disclose what you are finding as you go along, sys admins will start fixing the
problems. This is great if they do it right, but they often change other things
as well. What you should do then is re-test the box as the results you got are
now invalid, but when you are testing a huge network this is not possible in
the limited time available.

On the other hand if you say nothing about phf on an Internet web server and it
gets 0wned before you get round to writing the report.......

At the end of the day, I think it depends on the severity of the problem and
you have to play it by ear.

Cheers

andy

---------------------------------------
E-Mail: andy_at_dragonfly.demon.co.uk
PGP/GnuPG Key available on request
Cultivating a healthy uptime addiction
---------------------------------------
Received on Nov 25 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]