Penetration Testing: Re: Full Disclosure of Security Vulnerabilities

[Junaid <junaid () thusa co za>]

Hi John,

Personally, I do believe the vulnerability should be disclosed soon.
However, like you mentioned, there are client systems at risk.

Has the vendor created/released a patch for the vulnerability?

If so, then ensure your client's systems are fully patched before making
the vulnerability public knowledge.

If not, then I think the vendor should be notified that the
vulnerability will be made public soon, and that they MUST release a
patch to fix the issue.

Personally, I feel that the main aim of full disclosure... is to ensure
that vendors do not become lazy with patch releases and updates.

Regards,
Junaid


jfvanmeter () comcast net wrote:
>  Hello Everyone, I would llike to get your thoughts on Full Disclosure of Security Vulnerabilities . About 3 weeks 
> ago during a per-test of a software suite for a client of myine, I found a directory traversal in a software suite 
> that my client has installed on thousands of workstation.
>
> I send screen shots and a packet capture to the vendor and they were able to to recreate the exploit.
>
> my cleint doesn't want to go public with it because of the thousands of workstations and servers that its installed 
> on. I also don't believe the vendor will go public with it, what would you all do?
>
> Best Regards --John
>   
-- 
Junaid Loonat (B.Sc CompSci & Information Systems)
Software Development

Thusa Business Support (Pty) Ltd
Website:    http://www.thusa.co.za

"Without our hardships, what worth are our successes?"

Attachment: signature.asc
Description: OpenPGP digital signature