Jon D wrote: > I've heard of PenTesters giving a Nessus scan report to the client as part > of their final report. > I read through the nessus licensing agreement, and I didn't say where it > said it's not allowed. > > Is this legal? > Also, is it legal to copy text from the nessus scan for a report? > > > > Thanks in advance. >
Hi Jon, The real issue I have here is what is passed off to a client as original work. For example, there are many MSPs who take the Nessus direct feed, rip out any reference to Tenable Network Security or Nessus and pass off the entire context as original work. Technically, this isn't a copy, it's editing the results to make it look like something else. As far as things being "legal" though, I would not recommend you seek legal advice for using Nessus on this list -- seek them from a lawyer. I don't have any idea what sort of service level agreements you're making with your customers, if you've given your customers indemnification, if you are honoring the Nessus trademark or even what you (or your sales or marketing group) told your customer. I've even seen issues where a consulting organization has had their lawyers assert that no open source tools were being used on a job, only to find our that someone was still using Nessus 2, MetaSploit and so on. Ron Gula, CTO Tenable Network Security _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
