Authorized Testing Only
You must have explicit, written authorization from the owner of the target system before running Shannon.Unauthorized security testing is illegal and unethical. Violations can result in criminal prosecution, civil liability, and severe penalties.
What Constitutes Authorization?
Valid authorization requires:Written Permission
Obtain explicit, written consent from the system owner or authorized representative. Verbal agreements are insufficient.
Defined Scope
Clearly document:
- Target applications and systems
- IP addresses and domains
- Testing timeframes
- Allowed testing methods
- Off-limits systems or data
Stakeholder Notification
Ensure all relevant stakeholders are informed:
- Security teams
- Operations teams
- Legal department
- Compliance officers
Computer Fraud and Abuse Act (CFAA) Compliance
United States Law
The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, is the primary U.S. federal law governing computer security.Penalties
CFAA violations can result in:- Criminal penalties: Up to 10 years imprisonment for first offense
- Enhanced penalties: Up to 20 years for repeat offenses
- Civil liability: Damages and injunctive relief
- Fines: Substantial monetary penalties
Safe Harbor: Authorized Security Research
The CFAA includes limited safe harbor provisions for good-faith security research:- Must be conducted solely for security research purposes
- Must be authorized by the system owner
- Must not cause damage or economic harm
- Must comply with responsible disclosure practices
International Legal Considerations
Similar laws exist worldwide:Europe
- UK Computer Misuse Act 1990: Unauthorized access is criminal
- EU Cybersecurity Directive: Member states have similar provisions
- GDPR: Data protection requirements during security testing
Other Jurisdictions
- Canada Criminal Code: Section 342.1 (unauthorized use of computer)
- Australia Cybercrime Act 2001: Unauthorized access and modification
- Singapore Computer Misuse Act: Unauthorized access and modification
Always consult with legal counsel familiar with the applicable jurisdiction before conducting security testing.
Responsible Disclosure
When vulnerabilities are discovered, follow responsible disclosure practices:Disclosure Timeline
Initial Report (Day 0)
- Document the vulnerability thoroughly
- Include proof-of-concept (if safe to share)
- Report to the organization’s security contact
- Use encrypted communication when possible
Acknowledgment (Day 1-7)
- Confirm receipt with the organization
- Establish communication channel
- Agree on disclosure timeline
- Provide additional details if needed
Remediation (Day 7-90)
- Allow time for validation and patching
- Provide assistance if requested
- Coordinate on disclosure date
- Standard disclosure: 90 days
Vulnerability Disclosure Platforms
Consider using established platforms:- HackerOne: Coordinated disclosure platform
- Bugcrowd: Vulnerability disclosure and bug bounties
- CERT/CC: For critical infrastructure vulnerabilities
- Company-specific programs: Many organizations have formal programs
Defensive Security Tool
Shannon is designed and intended exclusively as a defensive security tool.Legitimate Use Cases
Application Security
- Test your own applications
- Validate security controls
- Pre-deployment security checks
- Continuous security testing
Authorized Engagements
- Professional penetration testing
- Red team assessments
- Security consulting engagements
- Bug bounty programs
Research & Education
- Security research on owned systems
- Educational environments
- Capture-the-flag (CTF) competitions
- Security training labs
Compliance & Audit
- SOC 2 Type II preparation
- ISO 27001 compliance testing
- PCI DSS security validation
- HIPAA security assessments
Prohibited Uses
Explicit Permission Requirements
Internal Testing
Even when testing your own organization’s systems:Third-Party Testing
When testing on behalf of a client:Cloud and Hosted Environments
Additional considerations for cloud platforms:- AWS: Review AWS Customer Support Policy for Penetration Testing
- Azure: Follow Microsoft Cloud Unified Penetration Testing Rules of Engagement
- Google Cloud: Check GCP Penetration Testing requirements
Most cloud providers now allow penetration testing without prior approval for many services, but you should still review their policies and notify them of testing.
Liability and Responsibility
User Responsibility
Keygraph Disclaimer
Keygraph is not responsible for:- Misuse of Shannon
- Unauthorized testing activities
- Damages resulting from Shannon use
- Legal consequences of improper use
- Third-party actions or claims
License Terms
Shannon Lite is released under the GNU Affero General Public License v3.0 (AGPL-3.0). Key implications:- Free to use for internal security testing
- Modifications for internal use need not be shared
- SaaS providers must open-source modifications
- No warranty or liability from Keygraph
- Use at your own risk
Best Practices
Before Starting
- Review Authorization: Confirm you have written permission
- Understand Scope: Know exactly what you can and cannot test
- Assess Risks: Understand potential impacts of testing
- Plan Communication: Establish escalation procedures
- Backup Data: Ensure systems can be restored if needed
During Testing
- Stay Within Scope: Don’t test unauthorized systems
- Monitor Impact: Watch for unintended effects
- Document Everything: Maintain detailed logs
- Communicate Issues: Report critical findings immediately
- Respect Limits: Stop if you exceed authorized scope
After Testing
- Secure Findings: Protect vulnerability data
- Report Responsibly: Follow disclosure guidelines
- Clean Up: Remove test accounts and artifacts
- Debrief Stakeholders: Share lessons learned
- Archive Evidence: Maintain records for compliance
Getting Help
If you have questions about legal or ethical use of Shannon:- Legal Counsel: Consult an attorney familiar with cybersecurity law
- Keygraph Team: Contact us at [email protected]
- Community: Join our Discord for discussions
- Documentation: Review our usage guidelines