mailing list archives
Re: [PEN-TEST] Legalities and Liabilities
From: Dan Ryan <DanRyan () DANJRYAN COM>
Date: Tue, 12 Sep 2000 16:28:36 -0400
A written contract between the tester(s) and the organization being tested
is critical. It protects the testers in the event that damage is
inadvertantly done, and prevents charges under criminal codes that the
tester is a hacker rather than an authorized user. It also protects the
tester after the test. There are complicated issues that need to be
addressed by an attorney who understands the field. This is not a "do it
Daniel J. Ryan
Attorney at Law
Law Offices of Daniel J. Ryan
380 Forelands Road
Annapolis, Maryland 21401
DanRyan () danjryan com
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Ben Lull
Sent: Tuesday, September 12, 2000 2:43 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Legalities and Liabilities
I have some questions regarding the legal aspects of penetration
testing (I'm hoping this hasn't be answered on the list before,
I haven't had time to keep up for the past couple of weeks).
1.) Before a pen/sec test takes place, what type of legal documentation
should be obtained (disclaimers, limitation of liability, etc..)?
2.) What are major topics that should be discussed and included in a
contract between the pen/sec company and their client? Should a
contract even be written up in the first place?
3.) When conducting a pen/sec test what legal issues should be kept in
mind (e.g.. get out of jail free type of stuff).
5.) After a pen/sec test, if the client's network is cracked, can the
pen/sec company be held responsible?
6.) If the pen/sec company offers services such as actual securing of
systems, can they be held responsible if the systems they secured are
I'd appreciate as much feed back as possible. Once again I apologize if
this has already been discussed.
* Ben Lull
* ValleyLocal Internet, Inc.
* Systems Administrator