Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Disclosure policy when performing pentest
From: Yonatan Bokovza <Yonatan () XPERT COM>
Date: Thu, 23 Nov 2000 20:43:16 +0200

-----Original Message-----
From: Masse, Robert [mailto:rmasse () RICHTERSECURITY COM]
Sent: Thursday, November 23, 2000 6:00 PM
Subject: [PEN-TEST] Disclosure policy when performing pentest

What is the general consensus concerning the disclosure of
DURING a pen-test?

If you find their web site vulnerable to attack mid-way or at
the beginning
of your pentest do you tell the client immediately?  Or do
you wait until
the end of the pentest when you publish and submit your report?

Before I do a pentest, I usually explain to the client the
pros/cons of each
way.  I let the client decide what is best for his company.

We do much the same. Unless the client requests so, we give
him a complete analysis of our findings when the process is through.

There are cases where we inform immediately about a problem:
Any viral activity we discover in a client's network, either by mail
or open Trojan ports. I guess this rule applies whenever we
discover that someone else is hacking our target.
A different  scenario is when we work on something near production
when time is of essence, and the client's developers can start solving
the problems right away.

I personally prefer to wait until the end since when I am
usually performing
a pentest, the company is so full of vulnerabilities we will
never finish if
I would disclose on every major vulnerability.  I would
rather wait until
the end and present the report with a seperate 'immediate to-do list'.

Same for me.

Waiting usually involves about 1 weeks time.

That depends on the scale of the job.

Anyone want to comment on this?



Robert Masse, CISSP
Chief Technical Officer

Richter Security Inc.
2 Place Alexis Nihon, suite 905
Montreal, Quebec, Canada
+514 934 3566 Direct
+514 934 3406 Fax

Best Regards,

Yonatan Bokovza
IT Security Consultant.
yonatan () xpert com
Xpert Trusted Systems
Shenkar 1, Herzlia Pituach

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]