[WEB SECURITY] security audit - how to avoid legal prosecution

Nathan Tobik nathan.tobik at vigilantminds.com
Wed Jun 8 10:29:33 EDT 2005


Does anyone at the site to be attacked know this is going to happen?  Is
this a situation where you were contracted by someone at a high level
and they don't want the security department or IT department to know you
are conducting the penetration testing?

Nate Tobik
(412)661-5700 x206
VigilantMinds

-----Original Message-----
From: Maxim Kostioukov [mailto:maxim at francoudi.com] 
Sent: Wednesday, June 08, 2005 10:01 AM
To: webappsec at securityfocus.com; websecurity at webappsec.org
Subject: [WEB SECURITY] security audit - how to avoid legal prosecution


Would someone advise on how to approach in sense of legal agreements
BEFORE doing any security research?

For example, one is doing penetration tests on web apps without a
written agreement or even worse - without the other side to be aware of
the test, then informs the side about findings (not disclosure them
publicly). 

Any chance for legal prosecution to be fired in case if the other side
just would like to do this? I think it is possible... Any advice?

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list