Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Legal aspect of Pen-Test

From: Steve Goldsby <sgoldsby () integrate-u com>
Date: Thu, 5 Oct 2000 15:02:20 -0500
Talk to your attorney on this.  However:

- The Pen-Tester get traced and the police knocks at his door
        -  We use an "Authorization to Scan" document in case the cops come
knocking

- The Pen-Tester is beleived to have cause damage to the customer equipment
or data during the penetration.
        -  We use a "hold harmless" agreement.  Basically, we say "feces occur, and
by signing you understand that though we will not intentionally cause damage
or system downtime, systems may crash or behave erratically during the
penTest.  You agree to hold us harmles...blah blah blah"

- the customer has followed the security firm's advices and implemented the
equired security mesures but is hacked a few days after.
        - again, the hold harmless.  "You understand that this is an ongoing
process, and that feces occur, and that we're only providing you an idea of
your vulnerabilities.  There is no guarantee that new vulnerabilities will
not be found and exploited."





-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Pascal Longpre
Sent: Thursday, October 05, 2000 2:35 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Legal aspect of Pen-Test


Hi,

Does anyone has a template or an example of what a legal Pen-Test contract
looks like, so the security firm is covered in the case where:
- The Pen-Tester get traced and the police knocks at his door
- The Pen-Tester is beleived to have cause damage to the customer equipment
or data during the penetration.
- the customer has followed the security firm's advices and implemented the
required security mesures but is hacked a few days after.
- Any other problem that can arise from the security firms activities

I'm looking for the legal stuff or ideas of what it might include.

Regards

Pascal

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.
Previous By Date Next
Previous By Thread Next

Current thread: