Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Disclosure policy when performing pentest
From: "Gallicchio, Florindo (2007)" <florindo.gallicchio () ESAVIO COM>
Date: Thu, 23 Nov 2000 18:46:36 -0500

Rob:

In almost every instance, I believe it is imperative to let the client know
immediately of any vulnerability that can be exploited relatively "easily"
to penetrate the network (or individual server).  I do this because the
probability of someone else finding that vulnerability is pretty high.

If, however, like in your case where there are so many vulnerabilities all
lumped together, I may tell the client to do something higher-level to at
least "get them over the hump" until they can better address each
vulnerability.  For example, I may advise the client to use a firewall rule
or router ACL entry to block a certain vulnerable service, or perhaps have
the client alter a certain OS parameter, provided that doing this doesn't
prohibit the mission of the server itself.

Since we provide specific fixes for each vulnerability and teach the client
how to make those fixes themselves, it fits our operating model to help them
as we find each high-risk problem.

It's a case-by-case issue for me, but it's almost always an immediate
notification, especially if I successfully penetrate the network or server.

Florindo

Florindo Gallicchio
VP, Business Development, Information Security
esavio
florindo.gallicchio () esavio com

-----Original Message-----
From: Masse, Robert
To: PEN-TEST () SECURITYFOCUS COM
Sent: 11/23/00 11:00 AM
Subject: [PEN-TEST] Disclosure policy when performing pentest

What is the general consensus concerning the disclosure of
vulnerabilities
DURING a pen-test?

If you find their web site vulnerable to attack mid-way or at the
beginning
of your pentest do you tell the client immediately?  Or do you wait
until
the end of the pentest when you publish and submit your report?

Before I do a pentest, I usually explain to the client the pros/cons of
each
way.  I let the client decide what is best for his company.

I personally prefer to wait until the end since when I am usually
performing
a pentest, the company is so full of vulnerabilities we will never
finish if
I would disclose on every major vulnerability.  I would rather wait
until
the end and present the report with a seperate 'immediate to-do list'.
Waiting usually involves about 1 weeks time.

Anyone want to comment on this?

Thanks

Rob



Robert Masse, CISSP
Chief Technical Officer

Richter Security Inc.
2 Place Alexis Nihon, suite 905
Montreal, Quebec, Canada
+514 934 3566 Direct
+514 934 3406 Fax


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]