RE: The legal / illegal line?

A contract can be verbal. All that is required for a contract is offer, acceptance and consideration. This said there is the issue of evidence.

Martin is correct when he states " Never _ever_ engage in anything without a signed "get of of jail letter"." You may have a contract with a verbal agreement, but you try and prove it in court.

Worse, an email (though taken as a written agreement) does not give you the ability to presume authority. The system admin may not have the rights to have you do the test. At least with a Deed (a signed, sealed and delivered contract for ease of explanation), you have something to fall on and cover your arse. If the other party had falsely attested that they could authorise you to do the scan, you have a piece of paper supporting this and you can make your own life much easier in the long run.


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Martin Zimmermann
Sent: Tuesday, 6 March 2007 8:53 AM
To: Dotzero
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: The legal / illegal line?

Never _ever_ engage in anything without a signed "get of of jail letter"
+ an quite specific agreement stating what you are authorized to do and
what the potentiel riscs are. Dotzero is very right in concluding that
they are _not_ in any way a client until a signed agreement exsists. I
can only imagine very few (and somewhat far fetched) situations where
you "discover" a vulnerability without "crossing the line", both in
relation to the law and morally. Besides no serious client would ever
hire a pen-test team that "pre-pens" them. It shows a complete lack of
professionalism and often borders on black-mail in most situations of
cases I've come across. And it qiute frankly sounds like you crossed the

Just my 1½ cent



Dotzero skrev:
The original question from Barry was about legal vs illegal. There is
only one (IMHO) answer to that question. It depends on jurisdiction.
The laws that apply in one jurisdiction may not apply in another.

I'm also concerned about Barry asking about when others "approach a
client" to tell them about their insecurities following a "simple
pen-test".. They are NOT your client unless they have engaged you.
They are a potential client. They have no relationship with you and
you have not been authorized by them to do anything on their behalf.
Even if you haven't done anything illegal, most companies I'm familiar
with would be unlikely to hire you or your company under such
circumstances. The actions you describe are indicative of a failure to
recognize appropriate boundaries.

A more reasonable approach (and one more likely to attract business)
would be to have your sales people pitch a free security assessment.
Have a standard agreement authorizing a standard but limited set of
activities that you can then use to show a potential client how they
might benefit from your services.

As usual, just my 2 cents.


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Relevant Pages

  • Re: Building Contract. Please help.
    ... we do think the client has cohersed us into doing ... <pasting of contract wording> ... This quotation is a fixed price for the works to completion. ... Central pendant light fitting. ...
  • Re: Please help. I am being sued through a court. How do I respond?
    ... had offered to prepare a standard JCT building contract but did ... The client provided the drawings, ... actual costs by ensuring that a full vehicle would ... site-manager and, crucially, the job had a supervising Architect, ...
  • Re: General OOA/D/P issues
    ... If you want to snip stuff back in do so. ... >> contravene the contract already in place. ... > Client and whoever provides the service. ... internal class Mouth: IConsumer ...
  • Re: Doc always seems to be on vacation on previously proposed paydays
    ... Well, December 1st came, no pay. ... I'm told that they are having trouble with the client paying them. ... at this point I do start threatening lawsuits and finally around mid-February I get paid and they say they no longer have the account. ... They finally tell us that the client is looking at bringing in another company to "compete" for the contract renewal. ...
  • Re: Please help. I am being sued through a court. How do I respond?
    ... |> had offered to prepare a standard JCT building contract but did ... The client provided the drawings, ... The supervising architect was ... |> costs, ...