mailing list archives
[PEN-TEST] Disclosure policy when performing pentest
From: John Millican <john () NCTECH ORG>
Date: Sat, 25 Nov 2000 10:59:30 -0500
Most people seem to think if the vulnerability is 'high' the client should
be told. How do you draw that line? What is the magic formula where you say
"OK this is bad, you should know now before the report is submitted" (IE in
the style of a function x=a+b+c+d^5).
This is a judgment call that is not subject to being decided by a formula.
This is a call that should be made by client because only they can decide
the kind and level of risk they are willing to incur. This should be
resolved before the penetration test begins, and the client should provide
the guidelines. If a formula-like process is used to develop the
I find it curious that most of the replies to this thread have mostly NOT
originated from North America.
That's because those of us in the US would rather watch a good ethical
battle than participate in one. Witness Florida.
John M. Millican
New Concept Technologies
john () nctech org