RE: Starting up: What contracts, agreements, waivers, etc do you use?

From: Michael C. Roach (mroach@gw.hamline.edu)
Date: Tue Jun 22 2004 - 00:46:08 EDT

• Next message: Mister Coffee: "Re: RF code scanners"
• Previous message: Martin Murray-Brown: "RE: Starting up: What contracts, agreements, waivers, etc do you use?"
• Maybe in reply to: anonyguard-pentest@yahoo.com: "Starting up: What contracts, agreements, waivers, etc do you use?"
• Next in thread: bartholomewbj@comcast.net: "Re: Starting up: What contracts, agreements, waivers, etc do you use?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I don't do security work but in general all of my clients agree to limit
the financial exposure (liability) of both parties to the agreed upon
cost of the contract as executed. This seems to be a pretty standard
legal tenet and any decent lawyer could set you up with boilerplate
language for a couple hours of billable time (highly recommend you see a
lawyer).

So for example, if a customer executes a $3,500 contract with me and
things don't work out my only financial exposure is the money brought in
by that contract. Of course if you're bigtime negligent many states
allow for these limits on liability, even if agreed to in an executed
contract, to be waived, but from what I have been told the bar is pretty
high for that to happen and as long as you do due diligence then its
generally a non-issue.

Seek a lawyer, can't stress that enough.

>>> "Yonatan Bokovza" <Yonatan@xpert.com> 06/21/04 22:49 PM >>>
We usually sign Non-Disclosure Agreements, so the client is assured his
sensitive
information is safe with us.
The client is also signed on a legal paper saying we take no
responsibility for any
loss that occurs due to the penetration-test, though we promise to do
our best to
minimize it.
As for the liability issue you mentioned, I know there are insurance
solutions for
that.
 
Regards,
Yonatan Bokovza
Senior IT Security Consultant, CISSP
Xpert Systems
 

    -----Original Message-----
    From: anonyguard-pentest@yahoo.com
[mailto:anonyguard-pentest@yahoo.com]
    Sent: Wed 6/16/2004 5:36 PM
    To: pen-test@securityfocus.com
    Cc:
    Subject: Starting up: What contracts, agreements, waivers, etc do
you use?
    
    

    Hello, everyone. I'm looking at the possibility of
    striking out on my own with a network vulnerability
    assessment / penetration test consulting firm. My
    question is more towards the administrative side of the
    business, rather than the technical. For those of you
    who do this kind of consulting, what sorts of contracts,
    statements of work or other legal documents do you use
    with your customers? I'm particularly concerned about
    the liability issue of probing and/or breaking into
    other peoples' networks. What sort of waivers do you
    ask your customers to sign, or what reasonable amount
    of liability are you willing to accept?
    
    

• Next message: Mister Coffee: "Re: RF code scanners"
• Previous message: Martin Murray-Brown: "RE: Starting up: What contracts, agreements, waivers, etc do you use?"
• Maybe in reply to: anonyguard-pentest@yahoo.com: "Starting up: What contracts, agreements, waivers, etc do you use?"
• Next in thread: bartholomewbj@comcast.net: "Re: Starting up: What contracts, agreements, waivers, etc do you use?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:56 EDT