[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] posting xss notifications in sites vs software packages



On Wed, 08 Feb 2012 17:30:18 +0100, Info said:
> A general question: is it legal to search for XSS vulnerabilities on
> custom websites ?

Yes. No. Maybe. Depends where you live, where the web server is physically
located, and where the corporate headquarters are.  In the US, the law you
need to worry about most is 18 USC 1030:

http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html

"... having knowingly accessed a computer without authorization or exceeding
authorized access, and by means of such conduct having obtained information..."

It's going to come down to whether the jury believes the prosecutor's version
or your version of what "exceeding authorized access" means - which is why
professional pen testers make sure they get a "Get Out Of Jail Free" card, and
negotiate rules of engagement (what's allowed, what's not) as part of the
contract.  You amature pen testers are on your own. ;)

Attachment: pgp9RoGuKlifk.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/