Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: The legal / illegal line?
From: Martin Zimmermann <Prohest () gmail com>
Date: Mon, 05 Mar 2007 22:52:58 +0100

Never _ever_ engage in anything without a signed "get of of jail letter" + an quite specific agreement stating what you are authorized to do and what the potentiel riscs are. Dotzero is very right in concluding that they are _not_ in any way a client until a signed agreement exsists. I can only imagine very few (and somewhat far fetched) situations where you "discover" a vulnerability without "crossing the line", both in relation to the law and morally. Besides no serious client would ever hire a pen-test team that "pre-pens" them. It shows a complete lack of professionalism and often borders on black-mail in most situations of cases I've come across. And it qiute frankly sounds like you crossed the line!

Just my 1½ cent

Martin

-

Dotzero skrev:
The original question from Barry was about legal vs illegal. There is
only one (IMHO) answer to that question. It depends on jurisdiction.
The laws that apply in one jurisdiction may not apply in another.

I'm also concerned about Barry asking about when others "approach a
client" to tell them about their insecurities following a "simple
pen-test".. They are NOT your client unless they have engaged you.
They are a potential client. They have no relationship with you and
you have not been authorized by them to do anything on their behalf.
Even if you haven't done anything illegal, most companies I'm familiar
with would be unlikely to hire you or your company under such
circumstances. The actions you describe are indicative of a failure to
recognize appropriate boundaries.

A more reasonable approach (and one more likely to attract business)
would be to have your sales people pitch a free security assessment.
Have a standard agreement authorizing a standard but limited set of
activities that you can then use to show a potential client how they
might benefit from your services.

As usual, just my 2 cents.

dotzero

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------




---
avast! Antivirus: Udgaende besked er ren.
Virus Database (VPS): 000721-1, 03-03-2007
Testet: 05-03-2007 22:52:58
avast! - copyright (c) 1988-2007 ALWIL Software.
http://www.avast.com/




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]