Penetration Testing mailing list archives
RE: Sample pent test agreement
From: "random" <random () digitalstakeout com>
Date: Mon, 27 Jun 2005 09:12:21 -0400
I agree completely with Irene. But we do find that some of our larger customers want to negotiate this point. In that case it is a good idea to limit you liability to a specified dollar amount like $50K or so. We are also required to provide proof on insurance in many cases. -----Original Message----- From: Irene Abezgauz [mailto:irene.abezgauz () gmail com] Sent: Sunday, June 26, 2005 5:28 PM To: 'Erin Carroll' Cc: pen-test () securityfocus com Subject: RE: Sample pent test agreement Hey, Liability, liability, and once again, liability. You are not liable if they get hacked afterwards. You can't guarantee anything (zero day, blackbox, etc.) You are not liable for any damages. (but you could still theoretically get sued so I'd get good insurance coverage for that) Then, you need their well written and detailed consent to have you do things to their systems so nobody accuses you of breaking in. Another important issue is the scope of the test, so you don't agree on a fixed price which covers about 2 applications (or servers), and then get introduced to their mega server/application farm... or simply so there are no misunderstandings. These are the most important things, hope I didn't miss anything. Irene Irene Abezgauz Application Security Consultant Hacktics Ltd. Mobile: +972-54-6545405 Web: www.hacktics.com -----Original Message----- From: Erin Carroll [mailto:amoeba () amoebazone com] Sent: Sunday, June 26, 2005 6:37 PM To: 'evb'; pen-test () securityfocus com Subject: RE: Sample pent test agreement Everyone, Actually I'd like to expand upon Eric's question to the list a bit. What are some of the common terms/agreements pen-testers should include in their contracts and why? Examples of how such terms (or lack of) in writing have become issues during pen-testing would be interesting to hear. Erin Carroll "Do Not Taunt Happy-Fun Ball" -----Original Message----- From: evb [mailto:swiver () cox net] Sent: Sunday, June 26, 2005 9:13 AM To: pen-test () securityfocus com Subject: RE: Sample pent test agreement Might anyone be kind enough to share with me a sample penetration testing agreement (written contract) to use with clients so that I need not reinvent the wheel? Thank you so much. Eric tossing_salads () hotmail com
Current thread:
- RE: CEH training, (continued)
- RE: CEH training Richard Zaluski (Jun 22)
- Re: CEH training D K (Jun 22)
- Re: CEH training Pete Herzog (Jun 23)
- RE: CEH training Richard Zaluski (Jun 23)
- RE: CEH training Richard Zaluski (Jun 22)
- RE: CEH training Torig (Jun 22)
- RE: CEH training Tim Singletary (Jun 23)
- RE: CEH training glemmon (Jun 24)
- RE: Sample pent test agreement evb (Jun 26)
- RE: Sample pent test agreement Erin Carroll (Jun 26)
- RE: Sample pent test agreement Irene Abezgauz (Jun 26)
- RE: Sample pent test agreement random (Jun 27)
- Re: Sample pent test agreement Pete Herzog (Jun 30)
- RE: Sample pent test agreement evb (Jun 26)
- RE: Sample pent test agreement Password Crackers, Inc. (Jun 27)
- Skill set ? prdp (Jun 30)
- Re: Skill set ? plug (Jun 30)
- Re: CEH training Antivirus Taneja (Jun 26)
- Re: CEH training Abhijayendra Singh (Jun 27)
- Re: CEH training ctg (Jun 30)
- RE: CEH training Erin Carroll (Jun 30)