Penetration Testing mailing list archives
RE: Starting up: What contracts, agreements, waivers, etc do you use?
From: "Michael C. Roach" <mroach () gw hamline edu>
Date: Mon, 21 Jun 2004 23:46:08 -0500
I don't do security work but in general all of my clients agree to limit the financial exposure (liability) of both parties to the agreed upon cost of the contract as executed. This seems to be a pretty standard legal tenet and any decent lawyer could set you up with boilerplate language for a couple hours of billable time (highly recommend you see a lawyer). So for example, if a customer executes a $3,500 contract with me and things don't work out my only financial exposure is the money brought in by that contract. Of course if you're bigtime negligent many states allow for these limits on liability, even if agreed to in an executed contract, to be waived, but from what I have been told the bar is pretty high for that to happen and as long as you do due diligence then its generally a non-issue. Seek a lawyer, can't stress that enough.
"Yonatan Bokovza" <Yonatan () xpert com> 06/21/04 22:49 PM >>>
We usually sign Non-Disclosure Agreements, so the client is assured his sensitive information is safe with us. The client is also signed on a legal paper saying we take no responsibility for any loss that occurs due to the penetration-test, though we promise to do our best to minimize it. As for the liability issue you mentioned, I know there are insurance solutions for that. Regards, Yonatan Bokovza Senior IT Security Consultant, CISSP Xpert Systems -----Original Message----- From: anonyguard-pentest () yahoo com [mailto:anonyguard-pentest () yahoo com] Sent: Wed 6/16/2004 5:36 PM To: pen-test () securityfocus com Cc: Subject: Starting up: What contracts, agreements, waivers, etc do you use? Hello, everyone. I'm looking at the possibility of striking out on my own with a network vulnerability assessment / penetration test consulting firm. My question is more towards the administrative side of the business, rather than the technical. For those of you who do this kind of consulting, what sorts of contracts, statements of work or other legal documents do you use with your customers? I'm particularly concerned about the liability issue of probing and/or breaking into other peoples' networks. What sort of waivers do you ask your customers to sign, or what reasonable amount of liability are you willing to accept?
Current thread:
- RE: Starting up: What contracts, agreements, waivers, etc do you use? Michael C. Roach (Jun 22)