RE: Starting up: What contracts, agreements, waivers, etc do you use?

From: Michael C. Roach (
Date: 06/22/04

  • Next message: Mister Coffee: "Re: RF code scanners"
    Date: Mon, 21 Jun 2004 23:46:08 -0500
    To: <>

    I don't do security work but in general all of my clients agree to limit
    the financial exposure (liability) of both parties to the agreed upon
    cost of the contract as executed. This seems to be a pretty standard
    legal tenet and any decent lawyer could set you up with boilerplate
    language for a couple hours of billable time (highly recommend you see a

    So for example, if a customer executes a $3,500 contract with me and
    things don't work out my only financial exposure is the money brought in
    by that contract. Of course if you're bigtime negligent many states
    allow for these limits on liability, even if agreed to in an executed
    contract, to be waived, but from what I have been told the bar is pretty
    high for that to happen and as long as you do due diligence then its
    generally a non-issue.

    Seek a lawyer, can't stress that enough.

    >>> "Yonatan Bokovza" <> 06/21/04 22:49 PM >>>
    We usually sign Non-Disclosure Agreements, so the client is assured his
    information is safe with us.
    The client is also signed on a legal paper saying we take no
    responsibility for any
    loss that occurs due to the penetration-test, though we promise to do
    our best to
    minimize it.
    As for the liability issue you mentioned, I know there are insurance
    solutions for
    Yonatan Bokovza
    Senior IT Security Consultant, CISSP
    Xpert Systems

        -----Original Message-----
        Sent: Wed 6/16/2004 5:36 PM
        Subject: Starting up: What contracts, agreements, waivers, etc do
    you use?

        Hello, everyone. I'm looking at the possibility of
        striking out on my own with a network vulnerability
        assessment / penetration test consulting firm. My
        question is more towards the administrative side of the
        business, rather than the technical. For those of you
        who do this kind of consulting, what sorts of contracts,
        statements of work or other legal documents do you use
        with your customers? I'm particularly concerned about
        the liability issue of probing and/or breaking into
        other peoples' networks. What sort of waivers do you
        ask your customers to sign, or what reasonable amount
        of liability are you willing to accept?

  • Next message: Mister Coffee: "Re: RF code scanners"

    Relevant Pages

    • Re: Unfair summonds
      ... " any liability to your client is denied" in a short and sweet reply- ... as the onus is on them to prove it .. ...
    • Re: Sample pent test agreement
      ... I recomend a contract that covers the following and is agreed and signed ... Limited liability - a good rule of thumb is to limit liability to the ... Responsibilities of the client - everything from scope info, ... >Subject: RE: Sample pent test agreement ...
    • RE: The legal / illegal line?
      ... consideration means that there is no contract. ... Cenzic Hailstorm finds vulnerabilities fast. ... Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. ...
    • Re: Cintra-Macquarie Bid of $3.85b for Indiana TR Accepted
      ... >>> The money is still a liability on the balance sheet. ... >>> renter is lending the money to the owner until the rent is incurred. ... If Indiana violates the terms of the contract, ... The contract does not assume a payback. ...
    • Re: Law Suit in NJ
      ... it was ADT and because the contract wasn't ... which case I can understand where limits of liability won't hold up. ... They all require limits of liability language. ... In this case, I am sure this companys insurance company, who ...