[PEN-TEST] Question on licensing terms and disclosure?

[Fernando Montenegro <fsmontenegro () INAME COM>]

Hello everyone,

Quick legalese questions:

On doing our penetration tests, how do the license 
agreements that our customers have with their 
equipment providers affect us?

Perhaps an example will explain things better:
- Let's say we are testing equipment X (a network-
connected black box, in this example) for company Y. 
Part of our testing is, of course, attempting to find out 
things with weird TCP packets (OS ID'ing a la 
nmap/queso, for example). If the license agreement 
for X specifies "no reverse engineering" (pretty usual 
nowadays), aren't we violating those licensing terms?

A second question deals with disclosure of 
vulnerabilities on lists such as this one. 

Does the contract signed between you (the 
pentester) and the customer include a clause 
allowing you to share technical information you find? 
Since it is standard practice to have confidentiality 
clauses in contracts, aren't we violating that 
confidentiality when we discuss technical details 
based on our previous pentesting experience (if we 
don't have that clause, that is)?

I am in no way trying to reduce the quality or the 
amount of information that is shared on this and 
similar lists. What I *am* trying to do is understand 
wheter our desire to share information doesn't put us 
at risk in an increasingly sue-happy world. Also, when 
the non-technical world starts debating wheter or not 
we should be allowed to have security tools, I feel 
showing proper respect for contracts is a good thing...

(This is what I get from being from a family of 
lawyers... :-) )

Thanks!

Regards,
Fernando
--
Fernando S. Montenegro  -  
fsmontenegro () iname com
#include <disclaimer.h>