Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: The legal / illegal line?
From: "Craig Wright" <cwright () bdosyd com au>
Date: Wed, 28 Mar 2007 10:55:14 +1000


Of course if you do a "free" test you have no consideration. No
consideration means that there is no contract. No contract means that
you have liability and little cover in most juristictions.

Ie. Something goes wrong, you are up a certain creek with no paddle.

Craig

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Varun Nair
Sent: Sunday, 25 March 2007 4:15 AM
To: Philosophil
Cc: pen-test () securityfocus com
Subject: Re: The legal / illegal line?

2 options:

1. Offer to do a free lightweight pen test for the company. They might
engage you for free and when you have something you can convince them
to hire you for a more comprehensive paid pen test.

2. Use Google and other resources to indirectly find issues with the
network/website under question and show it to them. IANAL but I do not
think this would be illegal. Maybe others can comments on this...

Regards,
Varun V Nair

On 05/03/07, Philosophil <flosofl () gmail com> wrote:
I'd say it's pretty straight forward:

Legal = you or your company is hired and has a contract with very
specific language detailing what is to be tested

Illegal = you perform an unsolicited pen-test in order to drum up
business.  Or even to be a "good citizen"

Basically, CYA and only do testing you have been hired to do.  Do no
more than that, or be willing to face potential legal nightmare.

Just my 2 cents.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault