PEN Consultants Logo
Don’t Be a Victim: Find your weaknesses before the criminals do. PEN Consultants can help!

Month: August 2018


A Vulnerability Disclosure Gone Wrong

An example of a vulnerability disclosure gone wrong… Background I debated mentioning the company but will resist.  While making a contribution through a well-known payment processing app, I discovered a vulnerability.  It was an OWASP top-10 vulnerability and was discoverable while doing nothing more than using the app as a normal-ish user would.  Okay, true, […]


Shields Down Security Testing

Should security testing (vulnerability scanning, web app pentesting, etc.) be performed through a full protection stack (firewall, IPS, WAF, email filter, etc.) or not? Some may answer with an initial gut reaction of, “Of course. It should be through whatever protection solutions are typically in place so it will most accurately reflect what an attacker […]


My Disclosure Process

Here are my disclosure processes and guidelines. This is for those discoveries which seem to just fall in my lap while causally using and/or seeing a product. My disclosure process is an attempt to do the right thing when this happens. Note: NDA-protected discoveries (ex. through a client engagement) would not be subject to this. My […]