Because recreating
a flaw is critical in determining the cause and eventual solution, the finder is
encouraged to cooperate with the vendor during this phase.
NOTE Although cooperation is strongly recommended, the only requirement
of the finder is to submit a detailed VSR.
Findings
When the vendor finishes its investigation, it must return one of the following conclusions
to the finder:
??? It has confirmed the flaw.
??? It has disproved the reported flaw.
??? It can neither prove nor disprove the flaw.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
60
The vendor is not required to provide detailed testing results, engineering practices, or
internal procedures; however, it is required to demonstrate that a thorough, technically
sound investigation was conducted. This can be achieved by providing the finder with:
??? List of product/versions that were tested
??? List of tests that were performed
??? The test results
Confirmation of the Flaw
In the event that the vendor confirms that the flaw does indeed exist, it must follow up
this confirmation with the following action items:
??? List of products/versions affected by the confirmed flaw
??? A statement on how a fix will be distributed
??? A timeframe for distributing the fix
Disproof of the Flaw
In the event that the vendor disproves the reported flaw, the vendor then must show the
finder that one or both of the following are true:
??? The reported flaw does not exist in the supported product.
Pages:
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180