From: Matt Bellizzi (matt.bellizzi@nokia.com)
Date: Wed Dec 15 2004 - 14:20:32 EST
Thanks for responding everyone. Well it looks like there are two camps
here. The first group mostly objects to the liability to me. The
second thinks it's a good idea. It looks like I should seek some legal
advice. Luckily my company offers that as a benefit. Or I'm sure I
could probably find a lawyer to do it pro-bono. Looks like I'll need
a NDA for me, a letter of intent and a agree to hold harmless for my
client. If someone out there has some boiler plate examples of these I
would love to see em. A couple of other issues were also brought to my
attention. Like What is the scope of the pen test? Also what happens
after the pen-test? And finally who to call if I DOS something. Off
the top of my head. The scope of the pen-test is Dependant on the
client's network. The actions after the pentest depends on if they
staff or not. As for crashing machines....I'm thinking that before even
attempting to test I would have to meet with the whomever they have on
staff and co-ordinate off times for testing and contact numbers. I
would also not run actually dos exploits. This might not be
considered a pen-test but, I still think it might be useful and/or fun.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:11 EDT