Penetration Testing mailing list archives
[PEN-TEST] Question on licensing terms and disclosure?
From: Fernando Montenegro <fsmontenegro () INAME COM>
Date: Mon, 11 Dec 2000 01:59:03 -0000
Hello everyone, Quick legalese questions: On doing our penetration tests, how do the license agreements that our customers have with their equipment providers affect us? Perhaps an example will explain things better: - Let's say we are testing equipment X (a network- connected black box, in this example) for company Y. Part of our testing is, of course, attempting to find out things with weird TCP packets (OS ID'ing a la nmap/queso, for example). If the license agreement for X specifies "no reverse engineering" (pretty usual nowadays), aren't we violating those licensing terms? A second question deals with disclosure of vulnerabilities on lists such as this one. Does the contract signed between you (the pentester) and the customer include a clause allowing you to share technical information you find? Since it is standard practice to have confidentiality clauses in contracts, aren't we violating that confidentiality when we discuss technical details based on our previous pentesting experience (if we don't have that clause, that is)? I am in no way trying to reduce the quality or the amount of information that is shared on this and similar lists. What I *am* trying to do is understand wheter our desire to share information doesn't put us at risk in an increasingly sue-happy world. Also, when the non-technical world starts debating wheter or not we should be allowed to have security tools, I feel showing proper respect for contracts is a good thing... (This is what I get from being from a family of lawyers... :-) ) Thanks! Regards, Fernando -- Fernando S. Montenegro - fsmontenegro () iname com #include <disclaimer.h>
Current thread:
- [PEN-TEST] Question on licensing terms and disclosure? Fernando Montenegro (Dec 13)
- Re: [PEN-TEST] Question on licensing terms and disclosure? Etaoin Shrdlu (Dec 13)