[WEB SECURITY] security audit - how to avoid legal prosecution

Maxim Kostioukov maxim at francoudi.com
Wed Jun 8 14:16:32 EDT 2005

Randal, your story is shocked... Especially size of the penalties 10 years ago. Now we would expect something even more serious... Your story must be told to everyone who is going to make a security "research". The point is that because of legal possibility to got you down the other side may do it just because a top manager was pissed off and really wanted this. 
As I say before it might be considered as internal audit. But in any case would someone draft a template of agreement that is usually used in this case. I am not sure that free style email like "yes, do it" from a manager would be legally sufficient, wouldn't? Specially for external audits...

	-----Original Message----- 
	From: Randal L. Schwartz [mailto:merlyn at stonehenge.com] 
	Sent: Wed 6/8/2005 6:00 PM 
	To: Maxim Kostioukov 
	Cc: webappsec at securityfocus.com; websecurity at webappsec.org 
	Subject: Re: [WEB SECURITY] security audit - how to avoid legal prosecution

	>>>>> "Maxim" == Maxim Kostioukov <maxim at francoudi.com> writes:
	Maxim> Would someone advise on how to approach in sense of legal
	Maxim> agreements BEFORE doing any security research?
	Maxim> For example, one is doing penetration tests on web apps without
	Maxim> a written agreement or even worse - without the other side to
	Maxim> be aware of the test, then informs the side about findings (not
	Maxim> disclosure them publicly).
	Maxim> Any chance for legal prosecution to be fired in case if the
	Maxim> other side just would like to do this? I think it is
	Maxim> possible... Any advice?
	To see my story of how I became a felon just for doing something
	similar, read http://www.lightlink.com/fors/.  Unless you have a spare
	$250K and don't mind being a felon for life, I wouldn't advise you to
	do what you are considering.
	And in today's "everybody is a terrorist" new world order, it gets
	even worse.
	Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
	<merlyn at stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
	Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
	See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

More information about the websecurity mailing list