[WEB SECURITY] security audit - how to avoid legal prosecution
maxim at francoudi.com
Wed Jun 8 14:16:32 EDT 2005
Randal, your story is shocked... Especially size of the penalties 10 years ago. Now we would expect something even more serious... Your story must be told to everyone who is going to make a security "research". The point is that because of legal possibility to got you down the other side may do it just because a top manager was pissed off and really wanted this.
As I say before it might be considered as internal audit. But in any case would someone draft a template of agreement that is usually used in this case. I am not sure that free style email like "yes, do it" from a manager would be legally sufficient, wouldn't? Specially for external audits...
From: Randal L. Schwartz [mailto:merlyn at stonehenge.com]
Sent: Wed 6/8/2005 6:00 PM
To: Maxim Kostioukov
Cc: webappsec at securityfocus.com; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] security audit - how to avoid legal prosecution
>>>>> "Maxim" == Maxim Kostioukov <maxim at francoudi.com> writes:
Maxim> Would someone advise on how to approach in sense of legal
Maxim> agreements BEFORE doing any security research?
Maxim> For example, one is doing penetration tests on web apps without
Maxim> a written agreement or even worse - without the other side to
Maxim> be aware of the test, then informs the side about findings (not
Maxim> disclosure them publicly).
Maxim> Any chance for legal prosecution to be fired in case if the
Maxim> other side just would like to do this? I think it is
Maxim> possible... Any advice?
To see my story of how I became a felon just for doing something
similar, read http://www.lightlink.com/fors/. Unless you have a spare
$250K and don't mind being a felon for life, I wouldn't advise you to
do what you are considering.
And in today's "everybody is a terrorist" new world order, it gets
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn at stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
More information about the websecurity