[WEB SECURITY] security audit - how to avoid legal prosecution

Lyal Collins lyal.collins at key2it.com.au
Thu Jun 9 06:27:54 EDT 2005


I think this is simply intent.
Having a hammer in your had outside a jewelry store's window is not an
issue, unless under circumstances which would allow anyone to conclude there
was intent was to do harm.

Having a written communication from the target site (or licensee of the
application, if it's a software eval test) that says 'you are ok to pen test
<insert specifics> during these dates and I have authority to let you do
this' means the intent to maliciously cause harm is absent - the intent is
to test and report. 

IMHO, anything else can be argued as having intent to cause harm and loss,
with potential for real penalties.

Lyal

-----Original Message-----
From: Maxim Kostioukov [mailto:maxim at francoudi.com] 
Sent: Thursday, 9 June 2005 12:01 AM
To: webappsec at securityfocus.com; websecurity at webappsec.org
Subject: [WEB SECURITY] security audit - how to avoid legal prosecution



Would someone advise on how to approach in sense of legal agreements BEFORE
doing any security research?

For example, one is doing penetration tests on web apps without a written
agreement or even worse - without the other side to be aware of the test,
then informs the side about findings (not disclosure them publicly). 

Any chance for legal prosecution to be fired in case if the other side just
would like to do this? I think it is possible... Any advice?

---------------------------------------------------------------------
The Web Security Mailing List http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list