|
Penetration Testing
mailing list archives
Re: Full Disclosure of Security Vulnerabilities
From: "Mike Hale" <eyeronic.design () gmail com>
Date: Wed, 31 Oct 2007 23:42:25 -0700
What does your contract with your client state? What kind of NDA did
you sign? Legally, you'd be well advised to consult with an attorney
prior to disclosing anything publicly.
Morally, until a patch is applied to your clients' network, you
shouldn't disclose. You found the vulnerability on your clients'
time, and you should respect their wishes in this case.
On 10/31/07, Brian Toovey <admin () vulntrac com> wrote:
Sell it on that auction site :)
--
Brian Toovey
admin () vulntrac com
http://vulntrac.com
On 10/31/07, jfvanmeter () comcast net <jfvanmeter () comcast net> wrote:
Hello Everyone, I would llike to get your thoughts on Full Disclosure of Security Vulnerabilities . About 3 weeks
ago during a per-test of a software suite for a client of myine, I found a directory traversal in a software suite
that my client has installed on thousands of workstation.
I send screen shots and a packet capture to the vendor and they were able to to recreate the exploit.
my cleint doesn't want to go public with it because of the thousands of workstations and servers that its installed
on. I also don't believe the vendor will go public with it, what would you all do?
Best Regards --John
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Re: Full Disclosure of Security Vulnerabilities Mike Hale (Nov 01)
|
Intro
