lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 08 Feb 2012 21:23:49 -0500
From: Valdis.Kletnieks@...edu
To: Info <info@...hell.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: posting xss notifications in sites vs
	software packages

On Wed, 08 Feb 2012 17:30:18 +0100, Info said:
> A general question: is it legal to search for XSS vulnerabilities on
> custom websites ?

Yes. No. Maybe. Depends where you live, where the web server is physically
located, and where the corporate headquarters are.  In the US, the law you
need to worry about most is 18 USC 1030:

http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html

"... having knowingly accessed a computer without authorization or exceeding
authorized access, and by means of such conduct having obtained information..."

It's going to come down to whether the jury believes the prosecutor's version
or your version of what "exceeding authorized access" means - which is why
professional pen testers make sure they get a "Get Out Of Jail Free" card, and
negotiate rules of engagement (what's allowed, what's not) as part of the
contract.  You amature pen testers are on your own. ;)

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ