I agree with Dan. Most organizations will have spent the money to have a "Standard Terms & Conditions" or "Letter of Understanding" drafted that can be attached to proposals and used as a get out of jail free card. In general, I will not start any work for a client, even if it is not a Pen-Test before they have signed this document. This accomplishes two things (if the document is drafted properly) it commits the clients to my proposal (and fees) and it shows that the client accepts the dangers of performing certain tasks. Also, be sure that the person signing the document is an authorized signing agent for the client in question. Its a pain in the ass, and lawyers are expensive but make sure that you lawyer knows that you want the document to be general enough that you can use it for any client with little modification. Regards; Steve Manzuik Moderator - VulnWatch www.vulnwatch.org At 12:12 PM 10/09/2001 -0400, Dan Ryan wrote: >Contracting for penetration testing is complex and, if not done with the >assistance of expert counsel, can leave you at serious risk. Find a lawyer >who understands both contracts and cyberlaw and listen carefully to his or >her advice. This is no place for do-it-yourself. > >Daniel J. Ryan >Attorney at Law > >-----Original Message----- >From: Biju Mukund [mailto:bmukundat_private] >Sent: Monday, September 10, 2001 12:14 AM >To: pen-testat_private >Subject: How to Tackle the Legal Tangle? > > >There is a lot of confusion on the Legal Documents that we need to sign and >protect ourselves (I.e Pen Testing Company)before we accept a Assignment. >Consultants and legal 'experts' dump loads of papers which no one really >understands. >Is any one aware of a web resource where one can find all/some documents >which we might use before and after Pen-testing assignment? >Or is there some one who can guide us on "How to Tackle the Legal Tangle?" > >Regards >Biju Mukund > >BS 7799 Certified Auditor >MIEL e-Security Pvt. Ltd >bmukundat_private >www.mielesecurity.com > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ > > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 14:35:28 PDT