Penetration Testing mailing list archives
Re: The legal / illegal line?
From: Martin Zimmermann <Prohest () gmail com>
Date: Mon, 05 Mar 2007 22:52:58 +0100
Never _ever_ engage in anything without a signed "get of of jail letter" + an quite specific agreement stating what you are authorized to do and what the potentiel riscs are. Dotzero is very right in concluding that they are _not_ in any way a client until a signed agreement exsists. I can only imagine very few (and somewhat far fetched) situations where you "discover" a vulnerability without "crossing the line", both in relation to the law and morally. Besides no serious client would ever hire a pen-test team that "pre-pens" them. It shows a complete lack of professionalism and often borders on black-mail in most situations of cases I've come across. And it qiute frankly sounds like you crossed the line!
Just my 1½ cent Martin - Dotzero skrev:
The original question from Barry was about legal vs illegal. There is only one (IMHO) answer to that question. It depends on jurisdiction. The laws that apply in one jurisdiction may not apply in another. I'm also concerned about Barry asking about when others "approach a client" to tell them about their insecurities following a "simple pen-test".. They are NOT your client unless they have engaged you. They are a potential client. They have no relationship with you and you have not been authorized by them to do anything on their behalf. Even if you haven't done anything illegal, most companies I'm familiar with would be unlikely to hire you or your company under such circumstances. The actions you describe are indicative of a failure to recognize appropriate boundaries. A more reasonable approach (and one more likely to attract business) would be to have your sales people pitch a free security assessment. Have a standard agreement authorizing a standard but limited set of activities that you can then use to show a potential client how they might benefit from your services. As usual, just my 2 cents. dotzero ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW------------------------------------------------------------------------
--- avast! Antivirus: Udgaende besked er ren. Virus Database (VPS): 000721-1, 03-03-2007 Testet: 05-03-2007 22:52:58 avast! - copyright (c) 1988-2007 ALWIL Software. http://www.avast.com/ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: The legal / illegal line?, (continued)
- Re: The legal / illegal line? Philosophil (Mar 05)
- Re: The legal / illegal line? Varun Nair (Mar 27)
- Re: The legal / illegal line? admin (Mar 05)
- Re: The legal / illegal line? Security Guy (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Barry Fawthrop (Mar 05)
- RE: The legal / illegal line? McCarty, Eric C. (Mar 05)
- Re: The legal / illegal line? Tim Shea (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Dotzero (Mar 05)
- Re: The legal / illegal line? Martin Zimmermann (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 05)
- Re: The legal / illegal line? Security Guy (Mar 05)
- Re: The legal / illegal line? Philosophil (Mar 05)
- Re: The legal / illegal line? David Swafford (Mar 05)
- Re: The legal / illegal line? Paul Robertson (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 05)
- Re: The legal / illegal line? Justin Ross (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 06)