Home page logo
/

pen-test logo Penetration Testing mailing list archives

Follow up on "How much do you disclose to customers?"
From: ethanpreston () ziplip com
Date: Tue, 6 Jan 2004 14:20:35 -0800 (PST)

The list previously hashed out the pros and cons of informing the client's entire personnel about the coming pen-test. 
One of the issues that came up was the potential for the client's employed security staff to use the advance notice to 
game the results and skew the test results:
http://seclists.org/lists/pen-test/2003/Dec/0105.html

How does the pen-test community on this list deal with possibility of legal reprisal from the client's employees? No 
matter what contractual liability limitations you can negotiate with the client, that won't extend to an employee that 
gets canned because one's report paints them in an incompetant light.

I think there's a slashdot post on this topic (from the other side), where at least some of the posters start muttering 
for legal action.
http://ask.slashdot.org/article.pl?sid=03/12/19/0456221&mode=thread&tid=126&tid=163

Cheers,

Ethan

---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]