Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Disclosure policy when performing pentest
From: andy lowton <andy () DRAGONFLY DEMON CO UK>
Date: Thu, 23 Nov 2000 22:41:37 +0000

I think you have raised an interesting issue. We have found that if you
disclose what you are finding as you go along, sys admins will start fixing the
problems. This is great if they do it right, but they often change other things
as well. What you should do then is re-test the box as the results you got are
now invalid, but when you are testing a huge network this is not possible in
the limited time available.

On the other hand if you say nothing about phf on an Internet web server and it
gets 0wned before you get round to writing the report.......

At the end of the day, I think it depends on the severity of the problem and
you have to play it by ear.

Cheers

andy


---------------------------------------
E-Mail: andy () dragonfly demon co uk
PGP/GnuPG Key available on request
Cultivating a healthy uptime addiction
---------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]