[WEB SECURITY] security audit - how to avoid legal prosecution

Maxim Kostioukov maxim at francoudi.com
Wed Jun 8 13:54:55 EDT 2005


The answers are No to both questions. Luckily, the situation is more theoretical since it is internal audit from quality assurance, but no penetration testing was mentioned explicitly.

	-----Original Message----- 
	From: Nathan Tobik [mailto:nathan.tobik at vigilantminds.com] 
	Sent: Wed 6/8/2005 5:29 PM 
	To: webappsec at securityfocus.com; websecurity at webappsec.org 
	Cc: 
	Subject: RE: [WEB SECURITY] security audit - how to avoid legal prosecution
	
	

	Does anyone at the site to be attacked know this is going to happen?  Is 
	this a situation where you were contracted by someone at a high level 
	and they don't want the security department or IT department to know you 
	are conducting the penetration testing? 

	Nate Tobik 
	(412)661-5700 x206 
	VigilantMinds 

	-----Original Message----- 
	From: Maxim Kostioukov [mailto:maxim at francoudi.com] 
	Sent: Wednesday, June 08, 2005 10:01 AM 
	To: webappsec at securityfocus.com; websecurity at webappsec.org 
	Subject: [WEB SECURITY] security audit - how to avoid legal prosecution 


	Would someone advise on how to approach in sense of legal agreements 
	BEFORE doing any security research? 

	For example, one is doing penetration tests on web apps without a 
	written agreement or even worse - without the other side to be aware of 
	the test, then informs the side about findings (not disclosure them 
	publicly). 

	Any chance for legal prosecution to be fired in case if the other side 
	just would like to do this? I think it is possible... Any advice? 

	--------------------------------------------------------------------- 
	The Web Security Mailing List 
	http://www.webappsec.org/lists/websecurity/ 

	The Web Security Mailing List Archives 
	http://www.webappsec.org/lists/websecurity/archive/ 



	--------------------------------------------------------------------- 
	The Web Security Mailing List 
	http://www.webappsec.org/lists/websecurity/ 

	The Web Security Mailing List Archives 
	http://www.webappsec.org/lists/websecurity/archive/ 



More information about the websecurity mailing list