Re: Publishing Findings on Commercial Applications



Why would you want to make this information public? Self promotion maybe?

Over the past year I have found vulnerabilities in several commercial
products in the routing, switching, voip, and wireless space. I did
not post my findings to the world I sent my testing notes to the vendors
to fix their problems. I have found that road the best to travel with
the vendors and my customers.

If you found security issues relating to the application that you were
testing tell the vendor. If the vulnerabilities were related to
customer configuration issues than write a white paper outlining best
practices for the application, you will get more traction.

Intel96



On 6/13/06, Jezebel Ali <jezebel_ali@xxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----

I have question: If I performing Penetration Test on customer site
and this customer has a commercial application which is not
publicly available for download or purchase, do I have a right to
publish finding of this application to the public without
mentioning customer name?

This application widely used by banking and financial industry and
not always available to anyone for testing.



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------



Relevant Pages

  • RE: Entity tags as an HTTP covert channel
    ... based vulnerabilities. ... Security Assurance Throughout the Application Lifecycle ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • Re: Security Audit
    ... The tester can see there if the network is "tight" or not. ... the customer should be encouraged to fix major/ ... Pure service scanning for "common" vulnerabilities takes a bit more ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Network shutdown caused by a port scanner. "DENIAL OF SEVICE"
    ... Recently we underwent some security testing with one of our customers. ... TCP 23 TELNET ... believe they are security vulnerabilities, our customer was not concerned ...
    (microsoft.public.windowsce.embedded)
  • Re: Re: Vulnerability scanning across Firewall
    ... We are scanning the servers from same segment and we get a big list of vulnerabilities. ... Whatever difficulties we would face due to presence of a security control, a person with malicious intent would also face same problem due to presence of the same control. ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • Re: Security Audit
    ... Several automated tools came back all clear. ... > and double decode vulnerabilities. ... At the end of the day, a security consultant's job ... is to give the customer the most bang for the buck. ...
    (Pen-Test)