Authorization for a security check

[Hani]

Hello,

I'm planning to start a new website where website owners request me and my team of security researchers to check their websites for breaches.

We all know that seeking a security breach in a website without the permission of its owner is prohibited by law.

My question is, do I have to get website owners to sign a an authorizing document or can an email request from them be enough to prove that they gave us the permission to check their websites? If it's the first, where can I find a lawyer online to write down the authorizing document and how much whould he take?

Thanks.

 

[Michael Wechsler]

I've done these agreements before and it's no different than consulting services. It's impossible to say how much an agreement costs as attorneys price ranges vary, even though I've always thought my work was always thought to very affordable and true value... IMHO, lol!!

In your instance, the challenge comes more from ensuring that you have the permission of the web site owner to try to hack the web site. It would not be sufficient to have a good contract with a simple click-through agreement without appropriate authorization/verification procedures, e.g. proof that the registrant of the domain name for the site is the registrant by faxing driver's license and payment of a deposit with a credit card with the same name, etc. This part is critical for the execution, with the legal agreement being the easier portion!