[WEB SECURITY] security audit - how to avoid legal prosecution

Randal L. Schwartz merlyn at stonehenge.com
Wed Jun 8 11:00:41 EDT 2005


>>>>> "Maxim" == Maxim Kostioukov <maxim at francoudi.com> writes:

Maxim> Would someone advise on how to approach in sense of legal
Maxim> agreements BEFORE doing any security research?

Maxim> For example, one is doing penetration tests on web apps without
Maxim> a written agreement or even worse - without the other side to
Maxim> be aware of the test, then informs the side about findings (not
Maxim> disclosure them publicly).

Maxim> Any chance for legal prosecution to be fired in case if the
Maxim> other side just would like to do this? I think it is
Maxim> possible... Any advice?

To see my story of how I became a felon just for doing something
similar, read http://www.lightlink.com/fors/.  Unless you have a spare
$250K and don't mind being a felon for life, I wouldn't advise you to
do what you are considering.

And in today's "everybody is a terrorist" new world order, it gets
even worse.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn at stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list