mailing list archives
Re: [PEN-TEST] Disclosure policy when performing pentest
From: Etaoin Shrdlu <shrdlu () deaddrop org>
Date: Fri, 24 Nov 2000 07:31:32 -0800
"Masse, Robert" wrote:
Great feedback so far.
Most people seem to think if the vulnerability is 'high' the client
should be told. How do you draw that line? What is the magic formula
where you say "OK this is bad, you should know now before the report
is submitted" (IE in the style of a function x=a+b+c+d^5).
There are a few things you can use in an algorithmic sort of way.
o How long is the test supposed to last?
If the test is of limited length, or is nearing a close, you would
probably want to wait until after it is over.
o Is it limited in some way, or inclusive of the entire enterprise?
Not all tests cover the enterprise. It may be that the area you are
testing is small enough that the exploited vulnerability is not
likely to affect much of the enterprise.
o What will the business cost be (approximately) if the particular
machine or application is compromised before the completion of
If the vulnerability you found means that the web page can be
defaced, unless it's CNN you're doing the test for, ignore it.
That is, of course, unless the web server is not located in a DMZ,
or provides other services than just http/https.
o How easy is it to exploit the vulnerability you've found?
Is it a variety of statd? Is it yet another IIS exploit?
You might want to actually use the exploit, lock down the machine,
and continue on. If not, and the standard script monster can get
in before you finish your tests, you should try to get the worst
cases locked down before you contine.
o Is it already exploited?
This is the most difficult. If you find a machine that already
appears to have been violated, you really must notify your employer
(defined here as the person who you are testing), and stop the test
at once. It is now a case for forensics, not further testing.
I find it curious that most of the replies to this thread have
mostly NOT originated from North America.
I'd remind you that much of NA was distracted with the annual gluttony
Real programmers disdain structured programming. Structured
programming is for compulsive neurotics who were prematurely
toilet-trained. They wear neckties and carefully line up
pencils on otherwise clear desks.