mailing list archives
Re: [PEN-TEST] Disclosure policy when performing pentest
From: Yonatan Bokovza <Yonatan () XPERT COM>
Date: Thu, 23 Nov 2000 20:43:16 +0200
From: Masse, Robert [mailto:rmasse () RICHTERSECURITY COM]
Sent: Thursday, November 23, 2000 6:00 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Disclosure policy when performing pentest
What is the general consensus concerning the disclosure of
DURING a pen-test?
If you find their web site vulnerable to attack mid-way or at
of your pentest do you tell the client immediately? Or do
you wait until
the end of the pentest when you publish and submit your report?
Before I do a pentest, I usually explain to the client the
pros/cons of each
way. I let the client decide what is best for his company.
We do much the same. Unless the client requests so, we give
him a complete analysis of our findings when the process is through.
There are cases where we inform immediately about a problem:
Any viral activity we discover in a client's network, either by mail
or open Trojan ports. I guess this rule applies whenever we
discover that someone else is hacking our target.
A different scenario is when we work on something near production
when time is of essence, and the client's developers can start solving
the problems right away.
I personally prefer to wait until the end since when I am
a pentest, the company is so full of vulnerabilities we will
never finish if
I would disclose on every major vulnerability. I would
rather wait until
the end and present the report with a seperate 'immediate to-do list'.
Same for me.
Waiting usually involves about 1 weeks time.
That depends on the scale of the job.
Anyone want to comment on this?
Robert Masse, CISSP
Chief Technical Officer
Richter Security Inc.
2 Place Alexis Nihon, suite 905
Montreal, Quebec, Canada
+514 934 3566 Direct
+514 934 3406 Fax
IT Security Consultant.
yonatan () xpert com
Xpert Trusted Systems
Shenkar 1, Herzlia Pituach