You should get the OK from the hosting company - in writing - before you begin. You might not be able to legally continue in the first place. While the SERVICE is out-sourced, the non-resident company owns the hardware, as well as the routers leading to it and you may NOT be allowed to scan that (which actions may be deemed an intrusion by the hosting company). What is in the contract you have with them (the hosted company with the hosting company) that may cover this contingency? V/R Jim Franklin DeMatto wrote: > > Anyone know how to handle the legal/bueracratic aspects of pen-testing a web server which is not in-house, but property of a hosting company?? > > The hosting company may not take lightly to suggestions that it may be vulnerable, and may be afraid of damage caused by a test. Worse, if the server is not dedicated, but rather uses virtual hosts, other clients could be affected by the testing. > > Any real-world advice, forms, paperwork, or legal info. would be appreciated. > > Franklin DeMatto > franklinat_private > qDefense - DEFENDING THE ELECTRONIC FRONTIER -- James W. Meritt, CISSP, CISA Booz, Allen & Hamilton phone: (410) 684-6566
This archive was generated by hypermail 2b30 : Tue May 22 2001 - 16:24:30 PDT