Re: Volunteer pen testing

[Matt Bellizzi <matt.bellizzi () nokia com>]

Thanks for responding everyone.  Well  it looks like there are two camps 
here. The first group mostly objects to the liability to me.   The 
second thinks it's a good idea.  It looks like I should seek some legal 
advice.    Luckily my company offers that as a benefit.  Or I'm sure I 
could probably find a lawyer to do it pro-bono.    Looks like I'll need 
a NDA for me, a letter of intent and a agree to hold harmless for my 
client.   If someone out there has some boiler plate examples of these I 
would love to see em.   A couple of other issues were also brought to my 
attention.  Like What is the scope of the pen test?  Also what happens 
after the pen-test?  And finally who to call if I DOS something.  Off 
the top of my head.  The scope of the pen-test is Dependant on the 
client's network.  The actions after the pentest depends on if they 
staff or not.  As for crashing machines....I'm thinking that before even 
attempting to test I would have to meet with the whomever they have on 
staff and co-ordinate off times for testing and contact numbers.   I 
would also not run actually dos exploits.    This might not be 
considered a pen-test but,  I still think it might be useful and/or fun.