Re: [PEN-TEST] Question on licensing terms and disclosure?

[Etaoin Shrdlu <shrdlu () deaddrop org>]

Fernando Montenegro wrote:
> Hello everyone,
>
> Quick legalese questions:
>
> On doing our penetration tests, how do the license
> agreements that our customers have with their
> equipment providers affect us?

[reverse engineering example]
I don't think that pen-testing qualifies as reverse-engineering, unless
your definition is dramatically different from the standard. You aren't
attempting to reproduce the black box, just break it. Not the same.

> A second question deals with disclosure of
> vulnerabilities on lists such as this one.
>
> Does the contract signed between you (the
> pentester) and the customer include a clause
> allowing you to share technical information you find?

I wouldn't even put a clause like that in an agreement. I realize that a
customer might ask for it, but you should not sign it. That is simply
too broad a statement. I believe that you can have technical discussions
of most of what you might find without identifying a particular
customer. In those cases where it would identify someone specifically,
this forum would not be the place to do that. I have made posts here
that were sanitized questions, or suggestions, that came directly from
the real world.

> Since it is standard practice to have confidentiality
> clauses in contracts, aren't we violating that
> confidentiality when we discuss technical details
> based on our previous pentesting experience (if we
> don't have that clause, that is)?

Confidentiality is important. I think that even if a customer has a
contract that has not been particularly strong in its wording
(concerning confidentiality), you still have an obligation to be careful
in what you discuss here, and to not expose someone to risks that they
would otherwise not have had, or that would have been less. Technical
details are easily sanitized (mostly). If it isn't easy, don't discuss
it here.

> I feel showing proper respect for contracts is a good thing...

Sure. Showing proper respect for a client relationship is important.
Showing basic concern for the security of a customer's network is
important. Every detail should be on a case by case basis, not just
whether or not there's a contract involved.

.shrdlu

--
Nobody grows old merely by living a number of years.
We grow old by deserting our ideals.
Years may wrinkle the skin, but to give up enthusiasm
wrinkles the soul.            Samuel Ullman