Skip to main content
Penetration testing is a powerful security discipline that must be conducted within strict legal and ethical boundaries. This page outlines the critical legal requirements and ethical responsibilities you must understand before using AutoPentestX.
CRITICAL: Unauthorized access to computer systems is a federal crime in most jurisdictions. Always obtain written authorization before testing any system.

United States Laws

18 U.S.C. § 1030 - Primary federal law covering computer crimesProhibits:
  • Accessing a computer without authorization
  • Exceeding authorized access
  • Causing damage to protected computers
  • Trafficking in passwords or access credentials
Penalties:
  • First offense: Up to 10 years imprisonment
  • Repeat offense: Up to 20 years imprisonment
  • Fines up to $250,000 or more
  • Civil liability for damages caused

International Laws

United Kingdom

Computer Misuse Act 1990
  • Unauthorized access: Up to 2 years
  • Unauthorized modification: Up to 10 years
  • Facilitating serious crime: Up to life imprisonment

European Union

Directive 2013/40/EU
  • Harmonized cybercrime laws across EU
  • Mandatory penalties for member states
  • Cross-border cooperation requirements

Canada

Criminal Code Part X
  • Unauthorized computer use
  • Mischief in relation to data
  • Up to 10 years imprisonment

Australia

Cybercrime Act 2001
  • Unauthorized access or modification
  • Up to 10 years imprisonment
  • Substantial fines
If you’re outside the United States, research your local computer crime laws. Most countries have similar prohibitions against unauthorized access.

Authorization Requirements

What is “Authorization”?

Authorization means explicit, written permission from the legal owner or authorized representative of the target system. Verbal permission is not sufficient.
Assuming permission, relying on outdated authorization, or testing systems “just to help” without written consent is illegal.

Required Authorization Elements

A proper authorization document must include:
1

System Owner Identification

Full legal name and title of the person authorizing testing
2

Tester Identification

Your full name and organization (if applicable)
3

Target Scope

Specific IP addresses, domains, or systems to be tested
4

Time Window

Start and end dates/times for testing activities
5

Testing Activities

Description of what testing will be performed
6

Exclusions

Any systems or activities that are out of scope
7

Emergency Contacts

Who to contact if issues arise
8

Signatures

Wet signatures or verified digital signatures from both parties

Sample Authorization Letter

PENETRATION TESTING AUTHORIZATION

Date: March 11, 2026

I, [System Owner Name], [Title] of [Organization Name], hereby 
authorize [Tester Name] to conduct security penetration testing 
on the following systems:

Target Systems:
  • IP Address: 192.168.1.100
  • Domain: test-server.example.com
  • Network Range: 10.0.0.0/24

Authorized Testing Period:
  • Start: March 15, 2026 at 09:00 EST
  • End: March 20, 2026 at 17:00 EST

Authorized Activities:
  • Port scanning and service enumeration
  • Vulnerability detection and assessment
  • Web application security testing
  • Exploitation simulation in safe mode
  • Report generation

Prohibited Activities:
  • Social engineering or phishing
  • Denial of service attacks
  • Data exfiltration or modification
  • Testing of production databases

Emergency Contact:
  • Name: [IT Manager Name]
  • Phone: [Phone Number]
  • Email: [Email Address]

I understand that testing may cause service disruptions and 
accept responsibility for any impacts.

System Owner Signature: _____________________ Date: __________

Tester Signature: ___________________________ Date: __________

Witness Signature: __________________________ Date: __________
Consult with legal counsel to ensure your authorization agreements comply with local laws and organizational requirements.

Ethical Responsibilities

Professional Ethics Codes

Security professionals should adhere to established ethics codes:
For Certified Ethical Hacker (CEH) holders:
  1. Keep private and confidential information secure
  2. Not use knowledge for personal gain or malicious purposes
  3. Not break laws while conducting security testing
  4. Disclose security vulnerabilities responsibly
  5. Be honest in all professional dealings
For CISSP and related certifications:
  1. Protect society, the common good, infrastructure
  2. Act honorably, honestly, justly, responsibly, legally
  3. Provide diligent and competent service
  4. Advance and protect the profession
For GIAC certified professionals:
  1. Perform work in a professional and ethical manner
  2. Promote responsible information security practices
  3. Not misuse certification credentials
  4. Report unethical behavior by other certified professionals

Ethical Testing Principles

Do No Harm

Minimize disruption to target systems. Avoid destructive testing methods when possible.

Respect Privacy

Do not access, modify, or exfiltrate personal or sensitive data during testing.

Responsible Disclosure

Report vulnerabilities privately to system owners before public disclosure.

Stay in Scope

Only test systems explicitly authorized. Do not pivot to unauthorized systems.

Built-in Authorization Prompts

Every execution requires explicit confirmation (main.py:454-481): 
print(f"[LEGAL WARNING] - AUTHORIZATION REQUIRED")
print("You are about to deploy an automated penetration testing tool.")
print("This weapon should ONLY be used on:")
print("  • Systems you own")
print("  • Systems with explicit written authorization")
print("")
print("Unauthorized system access = FEDERAL CRIME")
print("Punishment: Fines + Imprisonment")

confirmation = input("Do you have authorization to test this target? (yes/no): ")

if confirmation.lower() not in ['yes', 'y']:
    print("[!] MISSION ABORT - Authorization not confirmed.")
    sys.exit(0)
The comprehensive disclaimer in DISCLAIMER.md covers:
  • Authorization requirements
  • Prohibited uses
  • Legal consequences of misuse
  • User responsibilities
  • Developer liability limitations
  • No warranty statements

Safe Mode Default

Safe mode is enabled by default to prevent accidental damage: 
def __init__(self, safe_mode=True):
    self.safe_mode = safe_mode
This ensures non-destructive testing unless explicitly disabled.

Authorized Use Cases

✅ LEGAL - Authorized Testing

1

Personal Systems

Testing your own computers, servers, or networksExample: Scanning your home lab or personal VPS
2

Written Authorization

Client systems with signed authorization agreementExample: Contracted security assessment for a business
3

Educational Labs

School-provided VM environments for courseworkExample: College cybersecurity lab assignments
4

Bug Bounty Programs

Programs with explicit scope and rulesExample: HackerOne or Bugcrowd in-scope targets
5

Capture The Flag

CTF competition systems designed for hackingExample: HackTheBox, TryHackMe, CTF events

❌ ILLEGAL - Unauthorized Testing

These are FEDERAL CRIMES that can result in prosecution:
  • 🚫 Scanning your employer’s network without permission
  • 🚫 Testing websites to “help them” without authorization
  • 🚫 Scanning competitors or other businesses
  • 🚫 Testing friends’ or family members’ systems as a “favor”
  • 🚫 Scanning government networks or critical infrastructure
  • 🚫 Testing school or university networks without explicit permission
  • 🚫 Scanning any system where you don’t have written authorization

Responsible Vulnerability Disclosure

When You Find Vulnerabilities

If you discover vulnerabilities during authorized testing:
1

Document Findings

Create detailed technical documentation:
  • Vulnerability description
  • Affected systems/versions
  • Steps to reproduce
  • Proof of concept (if appropriate)
  • Potential impact assessment
2

Private Notification

Contact the system owner privately:
  • Use official security contact ([email protected])
  • Provide clear, professional report
  • Do NOT publicly disclose yet
  • Give reasonable time to fix (typically 90 days)
3

Coordinate Disclosure

Work with the vendor/owner:
  • Agree on disclosure timeline
  • Confirm fix has been deployed
  • Coordinate public disclosure if appropriate
4

Public Disclosure (Optional)

After fix is deployed:
  • Write-up for educational purposes
  • Credit vendor for responsive handling
  • Omit sensitive details that could enable attacks

Disclosure Best Practices

DO

  • Report to security@domain or abuse@domain
  • Provide clear technical details
  • Suggest fixes if possible
  • Give reasonable time to patch (90 days)
  • Be professional and constructive

DON'T

  • Publish vulnerabilities immediately
  • Use findings for personal gain
  • Threaten or extort the vendor
  • Exfiltrate sensitive data as “proof”
  • Cause unnecessary damage during testing

Data Handling

What NOT to Do

During penetration testing, you may encounter sensitive data. NEVER:
  • 🚫 Exfiltrate customer data or personal information
  • 🚫 Download databases or file systems
  • 🚫 Copy passwords, credentials, or tokens
  • 🚫 Access email systems or communications
  • 🚫 Modify or delete data
  • 🚫 Share findings publicly before disclosure
  • 🚫 Retain sensitive data after testing completes

Proper Data Handling

1

Minimize Collection

Only collect data necessary to prove vulnerabilities exist
2

Sanitize Examples

Redact sensitive values in reports (use “REDACTED” or ”***”)
3

Secure Storage

Encrypt reports and findings. Use secure file sharing.
4

Prompt Deletion

Delete all test data and artifacts after engagement ends
Good intentions do not constitute authorization. The law does not care why you accessed a system without permission.Real case: Marcus Hutchins (MalwareTech) faced charges for creating malware years earlier, despite later stopping WannaCry ransomware.
Always get written authorization. Verbal agreements are difficult to prove and may not hold up legally.Best practice: Email confirmation at minimum, signed agreement preferred.
Just because a system is accessible on the public internet does not mean you can test it.Illegal: Scanning random websites to find vulnerabilities without permission.
System owners can revoke testing authorization at any time. Stop immediately if asked.Action required: Cease testing, document status, return all materials.
If authorized to test system A, testing system B is unauthorized even if you can access it from A.Example: Authorized to test web server but pivot to database server = illegal.

Educational Use Guidelines

For Students and Learners

AutoPentestX is designed for educational use, but “education” does not justify unauthorized access.

Acceptable Educational Use:

✅ Your own computers and VMs
✅ Lab environments provided by school
✅ Cloud VMs you personally pay for
✅ CTF platforms (HackTheBox, TryHackMe)
✅ Vulnerable by design VMs (Metasploitable, DVWA)

Unacceptable - Still Illegal:

❌ School/university network without explicit permission
❌ Other students’ computers
❌ Campus servers or infrastructure
❌ Local businesses as “practice”
❌ Any real-world target without authorization
1

Use Vulnerable VMs

Download intentionally vulnerable machines:
  • Metasploitable 2/3
  • DVWA (Damn Vulnerable Web App)
  • OWASP WebGoat
  • VulnHub machines
2

CTF Platforms

Join legal hacking platforms:
  • HackTheBox
  • TryHackMe
  • PentesterLab
  • OverTheWire
3

Personal Cloud Labs

Create your own infrastructure:
  • AWS/Azure/GCP free tier
  • Digital Ocean droplets
  • Local VirtualBox/VMware VMs

Real-World Consequences

Notable Prosecutions

These are real cases where people faced legal consequences:
Aaron Swartz (2011)
  • Downloaded academic papers from JSTOR
  • Faced 13 felony counts, up to 50 years
  • Tragically took his own life before trial
Andrew Auernheimer (“weev”) (2012)
  • Discovered AT&T security vulnerability
  • Accessed publicly available data
  • Convicted under CFAA, 41 months prison
  • Later overturned on venue grounds
Dmitry Dokuchaev (2016)
  • Hacked Yahoo and other companies
  • FBI indictment, international fugitive
  • Demonstrates global nature of computer crime laws
Marcus Hutchins (2017)
  • Stopped WannaCry ransomware attack
  • Later arrested for creating banking malware
  • Shows good deeds don’t excuse past crimes

Final Warnings

Before using AutoPentestX, ensure:
  1. ✅ You have written authorization from the system owner
  2. ✅ The target scope is clearly defined
  3. ✅ You have emergency contact information
  4. ✅ You understand applicable laws in your jurisdiction
  5. ✅ You will handle data responsibly
  6. ✅ You will report findings ethically
  7. ✅ You have professional liability insurance (for consultants)
  8. ✅ You will stop immediately if asked
If you cannot confirm ALL of the above, DO NOT PROCEED.

Resources

Ethical Guidelines

Bug Bounty Programs

Practice Platforms

What’s Next?

Installation Guide

Set up AutoPentestX in your legal lab environment

First Scan

Run your first authorized penetration test

Safe Mode

Learn about safety controls and risk mitigation

Report Analysis

Understand and interpret security findings
Remember: The goal of penetration testing is to improve security, not to cause harm. Always operate within legal and ethical boundaries.
FINAL WARNING: Unauthorized access to computer systems is a serious crime. By using AutoPentestX, you accept full responsibility for ensuring you have proper authorization. The developers assume no liability for misuse.

Build docs developers (and LLMs) love

Get started for freeTalk to us