mailing list archives
Re: [PEN-TEST] Disclosure policy when performing pentest
From: "Gallicchio, Florindo (2007)" <florindo.gallicchio () ESAVIO COM>
Date: Thu, 23 Nov 2000 18:46:36 -0500
In almost every instance, I believe it is imperative to let the client know
immediately of any vulnerability that can be exploited relatively "easily"
to penetrate the network (or individual server). I do this because the
probability of someone else finding that vulnerability is pretty high.
If, however, like in your case where there are so many vulnerabilities all
lumped together, I may tell the client to do something higher-level to at
least "get them over the hump" until they can better address each
vulnerability. For example, I may advise the client to use a firewall rule
or router ACL entry to block a certain vulnerable service, or perhaps have
the client alter a certain OS parameter, provided that doing this doesn't
prohibit the mission of the server itself.
Since we provide specific fixes for each vulnerability and teach the client
how to make those fixes themselves, it fits our operating model to help them
as we find each high-risk problem.
It's a case-by-case issue for me, but it's almost always an immediate
notification, especially if I successfully penetrate the network or server.
VP, Business Development, Information Security
florindo.gallicchio () esavio com
From: Masse, Robert
To: PEN-TEST () SECURITYFOCUS COM
Sent: 11/23/00 11:00 AM
Subject: [PEN-TEST] Disclosure policy when performing pentest
What is the general consensus concerning the disclosure of
DURING a pen-test?
If you find their web site vulnerable to attack mid-way or at the
of your pentest do you tell the client immediately? Or do you wait
the end of the pentest when you publish and submit your report?
Before I do a pentest, I usually explain to the client the pros/cons of
way. I let the client decide what is best for his company.
I personally prefer to wait until the end since when I am usually
a pentest, the company is so full of vulnerabilities we will never
I would disclose on every major vulnerability. I would rather wait
the end and present the report with a seperate 'immediate to-do list'.
Waiting usually involves about 1 weeks time.
Anyone want to comment on this?
Robert Masse, CISSP
Chief Technical Officer
Richter Security Inc.
2 Place Alexis Nihon, suite 905
Montreal, Quebec, Canada
+514 934 3566 Direct
+514 934 3406 Fax