mailing list archives
Re: [PEN-TEST] Legal aspect of Pen-Test
From: "Thompson, Stephen" <stephen () FISHNETSECURITY COM>
Date: Thu, 5 Oct 2000 16:26:54 -0500
here is a copy of a legal document that we use for Pen-Test liability
avoidance. It is based on a document that is used by and was forwarded to
us by the FBI. It (attached) is in Microsoft Word 2000 format.
here it is in Text:
Release and Authorization
During the course of the investigation, there may be several procedural
points that the client must be aware of including:
· The Investigator may employ the same methods and tools of known
computer aided pranksters, vandals, criminals, terrorists and foreign agents
during the course and conduct of this security audit.
· These methods may also include impersonation of authorized personnel
through "social engineering" for information gathering via telephone,
e-mail, or other electronic means that are limited to the client’s immediate
personnel and network.
· These methods, when used without authorization and permission of the
organization they are being employed against, may constitute a violation of
state and possibly federal criminal codes.
· Although no damages or disruptions to the client’s activities or
systems are anticipated as a result of this exercise, there is a very small
but real possibility that such damages and disruptions could occur. The
client shall hold the Investigator faultless and not legally, morally, or
monetarily liable for any such damages or disruptions.
· If the exercise appears to be causing a real or suspected disruption
to the client’s activities, operations, or production systems, the
Investigator will immediately halt the exercise.
Due to the sensitive nature of this scope of work, it is imperative that the
client must understand the associated risks. As a precaution, Fishnet has
prepared a stringent protocol for guaranteeing the success of this
investigation. Included in this document is a Guarantee of Confidentiality
and Consideration that is being provided to outline the precautions being
used. It is also requested that the client provide an indication of the
understanding and acceptance of these risks and precautions.
I understand that at no time will the Investigator divulge any information
regarding the details of the investigation or evidence collected to any
third party other than what has been specified within this document, without
the explicit written authorization of the primary contact and authorizing
I also understand that the investigator will provide full and complete
disclosure of all information gathered, including copies of data and
evidences, and reports created by the investigator. I understand that the
investigator will keep the organization informed of all activities,
operations, and proceedings of the investigation.
I understand that the investigator normally reserves the right to keep
copies of reports generated for administrative, archival, and training
purposes. I understand that this information is only used in-house and will
not be divulged to any third party. I understand that if I wish for the
investigator to not maintain copies of evidences gathered during the
investigation, it must be specified in the Scope of Services Requested
section of this document.
As an authorized agent for the client, I do hereby grant the investigator
permission to perform research, make recommendations, and follow the course
of action requested by the scope of services listed here.
(Signature of authorized representative for the client and date)
From: Pascal Longpre [mailto:longprep () HOTMAIL COM]
Sent: Thursday, October 05, 2000 2:35 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Legal aspect of Pen-Test
Does anyone has a template or an example of what a legal Pen-Test contract
looks like, so the security firm is covered in the case where:
- The Pen-Tester get traced and the police knocks at his door
- The Pen-Tester is beleived to have cause damage to the customer equipment
or data during the penetration.
- the customer has followed the security firm's advices and implemented the
required security mesures but is hacked a few days after.
- Any other problem that can arise from the security firms activities
I'm looking for the legal stuff or ideas of what it might include.
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at