Penetration Testing mailing list archives
RE: Volunteer pen testing
From: "Lachniet, Mark" <mlachniet () sequoianet com>
Date: Wed, 15 Dec 2004 16:13:20 -0500
Another good idea is to REALLY verify that you are hitting the right IP owned by the organization. Small shops sometimes don't know their own subnet or IP addresses, so try to verify by looking at a router config or whois lookup. That way you don't whack the wrong victim and get liability from someone you *didn't* get a CYA letter from. Could really put a damper on all that altruism :) P.S. For Pete's sakes, people, don't send out of office replies to a listserve. Every time I send an email to this list I get about 30 of those suckers. Geesh Mark Lachniet
-----Original Message----- From: Matt Bellizzi [mailto:matt.bellizzi () nokia com] Sent: Wednesday, December 15, 2004 2:21 PM Cc: pen-test () securityfocus com Subject: Re: Volunteer pen testing Thanks for responding everyone. Well it looks like there are two camps here. The first group mostly objects to the liability to me. The second thinks it's a good idea. It looks like I should seek some legal advice. Luckily my company offers that as a benefit. Or I'm sure I could probably find a lawyer to do it pro-bono. Looks like I'll need a NDA for me, a letter of intent and a agree to hold harmless for my client. If someone out there has some boiler plate examples of these I would love to see em. A couple of other issues were also brought to my attention. Like What is the scope of the pen test? Also what happens after the pen-test? And finally who to call if I DOS something. Off the top of my head. The scope of the pen-test is Dependant on the client's network. The actions after the pentest depends on if they staff or not. As for crashing machines....I'm thinking that before even attempting to test I would have to meet with the whomever they have on staff and co-ordinate off times for testing and contact numbers. I would also not run actually dos exploits. This might not be considered a pen-test but, I still think it might be useful and/or fun.
Current thread:
- Volunteer pen testing Matt Bellizzi (Dec 15)
- Re: Volunteer pen testing L. Walker (Dec 15)
- Re: Volunteer pen testing Matt Bellizzi (Dec 15)
- Re: Volunteer pen testing Travis Good (Dec 16)
- Re: Volunteer pen testing Matt Bellizzi (Dec 15)
- RE: Volunteer pen testing Chuck Fullerton (Dec 15)
- Re: Volunteer pen testing Richard Rager (Dec 15)
- <Possible follow-ups>
- RE: Volunteer pen testing Lachniet, Mark (Dec 15)
- Re: Volunteer pen testing L. Walker (Dec 15)