RE: Full Disclosure of Security Vulnerabilities

From: Security Department, anjiTech Data Solutions LLC (security@anjitech.com)
Date: Fri Nov 02 2007 - 15:46:00 EST

• Next message: Juan B: "How to find if exploit exist to a reported CVE ?"
• Previous message: Cory Swanson: "Linux alternative to TSGrinder?"
• In reply to: jfvanmeter@comcast.net: "Full Disclosure of Security Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

As a long-time IT contractor:

If you were hired to pen-test, found a vulnerability, and then released the
vulnerability public, you'd best make sure your contract would stand in
court to allow you to do so. If not, you are in for one heckuva law suit,
one which you would not most likely win. Morality and security and
everything aside, they hired you to do the test, they did not hire you to
disclose the results to anyone but them.

You need to let the individuals know of the vulnerability in the most
official manner possible under the auspices of your contract and ensure they
respond officially in kind. This can come back and bite you if you don't, it
doesn't take much to say "you never told us, we didn't know" if you don't
COA.

An exploit that affects thousands of clients will cost them mucho bucks, and
as with most corporations, they are always looking for ways to push that
expense off on someone else.

If you have any doubts what-so-ever, talk to a lawyer, and one who knows
what you are talking about. Opinions are fantastic, but they do NOT pay the
damages assessed in a court of law.

GET EVERYTHING IN WRITING WHEN DEALING CONTRACTUALLY!!! Anything less is...a
vulnerability...

Jim

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of jfvanmeter@comcast.net
Sent: Mittwoch, 31. Oktober 2007 18:00
To: pen-test@securityfocus.com
Subject: Full Disclosure of Security Vulnerabilities

 Hello Everyone, I would llike to get your thoughts on Full Disclosure of
Security Vulnerabilities . About 3 weeks ago during a per-test of a software
suite for a client of myine, I found a directory traversal in a software
suite that my client has installed on thousands of workstation.

I send screen shots and a packet capture to the vendor and they were able to
to recreate the exploit.

my cleint doesn't want to go public with it because of the thousands of
workstations and servers that its installed on. I also don't believe the
vendor will go public with it, what would you all do?

Best Regards --John

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Juan B: "How to find if exploit exist to a reported CVE ?"
• Previous message: Cory Swanson: "Linux alternative to TSGrinder?"
• In reply to: jfvanmeter@comcast.net: "Full Disclosure of Security Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:11 EDT