From: Martin Zimmermann (Prohest@gmail.com)
Date: Mon Mar 05 2007 - 16:52:58 EST
Never _ever_ engage in anything without a signed "get of of jail letter"
+ an quite specific agreement stating what you are authorized to do and
what the potentiel riscs are. Dotzero is very right in concluding that
they are _not_ in any way a client until a signed agreement exsists. I
can only imagine very few (and somewhat far fetched) situations where
you "discover" a vulnerability without "crossing the line", both in
relation to the law and morally. Besides no serious client would ever
hire a pen-test team that "pre-pens" them. It shows a complete lack of
professionalism and often borders on black-mail in most situations of
cases I've come across. And it qiute frankly sounds like you crossed the
line!
Just my 1½ cent
Martin
-
Dotzero skrev:
> The original question from Barry was about legal vs illegal. There is
> only one (IMHO) answer to that question. It depends on jurisdiction.
> The laws that apply in one jurisdiction may not apply in another.
>
> I'm also concerned about Barry asking about when others "approach a
> client" to tell them about their insecurities following a "simple
> pen-test".. They are NOT your client unless they have engaged you.
> They are a potential client. They have no relationship with you and
> you have not been authorized by them to do anything on their behalf.
> Even if you haven't done anything illegal, most companies I'm familiar
> with would be unlikely to hire you or your company under such
> circumstances. The actions you describe are indicative of a failure to
> recognize appropriate boundaries.
>
> A more reasonable approach (and one more likely to attract business)
> would be to have your sales people pitch a free security assessment.
> Have a standard agreement authorizing a standard but limited set of
> activities that you can then use to show a potential client how they
> might benefit from your services.
>
> As usual, just my 2 cents.
>
> dotzero
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>
> ------------------------------------------------------------------------
>
>
--- avast! Antivirus: Udgaende besked er ren. Virus Database (VPS): 000721-1, 03-03-2007 Testet: 05-03-2007 22:52:58 avast! - copyright (c) 1988-2007 ALWIL Software. http://www.avast.com/ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:38 EDT