I would want to see it 100% in writing
Dear Bob,
Please try to break into our systems. We are authorising you to do this. If you are unsuccessful that is OK. If you are successful or unsuccessful we will not seek to prosecute you. If somebody else wants to prosecute you, please consider this letter as an agreement prior to the act, that we are therefore to be considered co-conspirators to the alleged offence.
Signed by every director on the board, and not just one who we want to throw under the bus when the crap hits the fan.
The idea sounds good in principle, but in practice I am not so sure. On the inside we are party to knowledge which attackers may not have. We many know the design limits of systems and know how to overload them. That is privilege of being on the inside. Every system has limits and flaws somewhere. It may not be possible to eliminate them all.
Biting the hand that feeds IT
