Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Full Disclosure of Security Vulnerabilities

Re: Full Disclosure of Security Vulnerabilities

From: <mlevenstein_at_spohncentral.com>
Date: 1 Nov 2007 13:11:31 -0000
('binary' encoding is not supported, stored as-is) With thousands of installations of this product, your client should address the issue with the vendor and insist on a patch.

Since the vendor has already worked with you on recreating the exploit and testing, perhaps the vendor is working on a patch. (They may plan to announce the vulnerability only when they release the fix for it.)

As to your client, you owe them disclosure of the security hole. But you would be working against the client's interests to make the issue public.

The question is: Do you have fiduciary responsibility to the client? If so, you must put their interests first. Publicly disclosing that a software they use is seriously flawed could harm your client's business (and your reputation as an auditor).

Just my thoughts on the matter. I'm new to pen-testing and learning the business rules.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Received on Nov 01 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]