Of course this doesn't stop prospects from asking in their bloated RFPs how many CVEs your team has. 
Prikaži ovu nit
Anyone who's been a security consultant knows that vulnerabilities you discover while pen testing a customer (a) belong to the customer and (b) are under NDA. The few random CVEs I have are because the customer wanted us to handle disclosure.https://twitter.com/msredmond/status/1213865526281342983 …
Retweet if you *also* don't have any CVE's but are still a valued member of the infosec community. 
Prikaži ovu nit
-
-
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Depends on the contract. It's a bit more complex when we find them in 3rd party tools. We offer to drive comms w/ vendor. We do have a clause in our contract that states we reserve the right to take vuln to vendor if client does not allow us to contact vendor.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
I wish everyone knew this. There are some famous pentesting firms that don't play by this rule.
#burntHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
This may not be true dependant on the contract you have with your client. At a place I used to work, our contract had clauses granting us ownership of vulns in third party (not written by or for client) software we encountered on tests.
-
I found vulns in apps numerous times and the client never reported them. Some clients just aren’t cut out for reporting them, all PT firms should be though.
Kraj razgovora
Novi razgovor -
-
-
I found some cool vulns too I wish I could do a write up on them or something
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Damn, I found one I was excited to post but it was on the company dime so I will stay quiet
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
I fall in this, and honestly seeing the Argy bargy that occurs with vendors I don't feel like I'm missing much either!
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Although I wonder is it fair that I exploit a 0 day in same software ? I found bug at customer A and “find it again” at customer B?
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.