Penetration Testing mailing list archives
Re: [PEN-TEST] Question on licensing terms and disclosure?
From: Etaoin Shrdlu <shrdlu () deaddrop org>
Date: Tue, 12 Dec 2000 09:01:23 -0800
Fernando Montenegro wrote:
Hello everyone, Quick legalese questions: On doing our penetration tests, how do the license agreements that our customers have with their equipment providers affect us?
[reverse engineering example] I don't think that pen-testing qualifies as reverse-engineering, unless your definition is dramatically different from the standard. You aren't attempting to reproduce the black box, just break it. Not the same.
A second question deals with disclosure of vulnerabilities on lists such as this one. Does the contract signed between you (the pentester) and the customer include a clause allowing you to share technical information you find?
I wouldn't even put a clause like that in an agreement. I realize that a customer might ask for it, but you should not sign it. That is simply too broad a statement. I believe that you can have technical discussions of most of what you might find without identifying a particular customer. In those cases where it would identify someone specifically, this forum would not be the place to do that. I have made posts here that were sanitized questions, or suggestions, that came directly from the real world.
Since it is standard practice to have confidentiality clauses in contracts, aren't we violating that confidentiality when we discuss technical details based on our previous pentesting experience (if we don't have that clause, that is)?
Confidentiality is important. I think that even if a customer has a contract that has not been particularly strong in its wording (concerning confidentiality), you still have an obligation to be careful in what you discuss here, and to not expose someone to risks that they would otherwise not have had, or that would have been less. Technical details are easily sanitized (mostly). If it isn't easy, don't discuss it here.
I feel showing proper respect for contracts is a good thing...
Sure. Showing proper respect for a client relationship is important. Showing basic concern for the security of a customer's network is important. Every detail should be on a case by case basis, not just whether or not there's a contract involved. .shrdlu -- Nobody grows old merely by living a number of years. We grow old by deserting our ideals. Years may wrinkle the skin, but to give up enthusiasm wrinkles the soul. Samuel Ullman
Current thread:
- [PEN-TEST] Question on licensing terms and disclosure? Fernando Montenegro (Dec 13)
- Re: [PEN-TEST] Question on licensing terms and disclosure? Etaoin Shrdlu (Dec 13)