|
Penetration Testing
mailing list archives
Re: Full Disclosure of Security Vulnerabilities
From: mlevenstein () spohncentral com
Date: 1 Nov 2007 13:11:31 -0000
With thousands of installations of this product, your client should address the issue with the vendor and insist on a
patch.
Since the vendor has already worked with you on recreating the exploit and testing, perhaps the vendor is working on a
patch. (They may plan to announce the vulnerability only when they release the fix for it.)
As to your client, you owe them disclosure of the security hole. But you would be working against the client's
interests to make the issue public.
The question is: Do you have fiduciary responsibility to the client? If so, you must put their interests first.
Publicly disclosing that a software they use is seriously flawed could harm your client's business (and your reputation
as an auditor).
Just my thoughts on the matter. I'm new to pen-testing and learning the business rules.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Seeking questions for Panel discussion on website vulnerability disclosure during OWASP-WASC AppSec Conference on Nov 15, (continued)
|
Intro
