-- This is a draft template for a letter that might be sent to a vendor
-- or business providing a product or service that could be tested or
-- evaluated by a 6.857 team, asking for permission.  It can be modified
-- as appropriate for particular use.


Dear [ fill in name of contact ] --

We are students taking 6.857 (Computer and Network Security) this
spring 2020 term at the Massachusetts Institute of Technology.
Our names are (...).

One of the requirements of this class is to do a "final project".

The topic of our final project is rather unrestricted; just that
   (a) it should be "about security"
   (b) it should be "interesting"
   (c) if the project involves testing or evaluation of commercially available
       products or services, the 6.857 project team needs prior permission of
       the provider before proceeding with the testing or evaluation.

We have decided that we would be like to do the following for our project.

     [Rewrite as necessary] Evaluate the security of your
     product "Sleep Monitor Pro", which is described here:
         [URL]
     We would like to review the product's security policy,
     security mechanism design, and implementation.  We may
     discover gaps or vulnerabilities.

As this is a commercially available product, we are writing to ask
for your permission for us to proceed.

We would write a final project report to be submitted to the class staff
on Tuesday, May 12, 2020.

We would simultaneously send you a copy of our final report.

These reports \emph{must} be published on the class web site.  For example, here is
the 2017 class projects page with final reports:
    https://courses.csail.mit.edu/6.857/2017/projects
The content of the report is up to us; you would not have the option
to edit or censor any portions, although we would of course appreciate
and consider any remarks or suggestions you might have on a draft version.

If a serious vulnerability is discovered, the staff will delay posting
of the report for up to six months while the vulnerability is fixed.
(This is the class ``responsible disclosure'' policy.)  Otherwise, the
report is posted more or less immediately.

We hope you are agreeable to our working on this project.  (Many
companies find such ``free consulting'' to be helpful and worthwhile.)

[Optional]
Ideally, we would like to collaborate with your engineering team to
review the security policy, mechanisms, and implementation of your
product (or service).  This is not necessary, but would be very helpful,
and would increase both the quality of our research and the prospective
utility to you of our final results.

[Optional]
Our research may involve some ``reverse engineering''---we may disassemble
a purchased copy of your product for analysis.  Unless you specify otherwise,
your permission for us to proceed is assumed to extend to permission for
such reverse engineering.

Please let us know if this is agreeable to you.  We need to turn in a 
project proposal shortly, so time is of the essence.  (We need an email
confirmation of permission to turn in with our proposal.)

You can reach us for discussion at:
    name, email, phone
    name, email, phone
    name, email, phone

We look forward to your reply!

(Signed)
name, name, name