Hello, Josh Perrymon wrote:
While performing a pen-test for a large company I found a directory transversal vulnerability in a search program—
Were you testing for the company that produces that software? If so, they are the customer, and since they are paying you, they get to choose who is going to be informed (any contract I would ever set up with a pen tester would include such a clause, and unless they are completely clueless I bet yours does too).
He told me that they found the hole internally a couple months ago but they don’t want it public and they said I should not tell anyone about it because they don’t want their customers at risk.
Bullshit. Their customers are at risk now. If they want to minimize the impact on their customers, they should prepare a fix, then notify large customers (who need to go through some rollout procedure) under an NDA and inform the remaining customers about an upcoming security fix to be released on (insert timestamp two days later).
In my experience, there are two or three customers who will demand to have the fix instantaneously (with at least five exclamation marks[1]), but the majority understands that this strategy is most beneficial to them as they have time to make sure a techie is ready to implement the fix as soon as the vulnerability is disclosed.
Simon [1] cue obvious Terry Pratchett reference
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/