Penetration Testing mailing list archives

RE: Sample pent test agreement

From: "random" <random () digitalstakeout com>
Date: Mon, 27 Jun 2005 09:12:21 -0400

I agree completely with Irene. But we do find that some of our larger
customers want to negotiate this point. In that case it is a good idea to
limit you liability to a specified dollar amount like $50K or so. We are
also required to provide proof on insurance in many cases.

-----Original Message-----
From: Irene Abezgauz [mailto:irene.abezgauz () gmail com] 
Sent: Sunday, June 26, 2005 5:28 PM
To: 'Erin Carroll'
Cc: pen-test () securityfocus com
Subject: RE: Sample pent test agreement

Hey, 

Liability, liability, and once again, liability.
You are not liable if they get hacked afterwards. You can't guarantee
anything (zero day, blackbox, etc.)
You are not liable for any damages. (but you could still theoretically
get sued so I'd get good insurance coverage for that)
Then, you need their well written and detailed consent to have you do
things to their systems so nobody accuses you of breaking in.
Another important issue is the scope of the test, so you don't agree on
a fixed price which covers about 2 applications (or servers), and then
get introduced to their mega server/application farm... or simply so
there are no misunderstandings.

These are the most important things, hope I didn't miss anything.

Irene

Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com

-----Original Message-----
From: Erin Carroll [mailto:amoeba () amoebazone com] 
Sent: Sunday, June 26, 2005 6:37 PM
To: 'evb'; pen-test () securityfocus com
Subject: RE: Sample pent test agreement

Everyone,

Actually I'd like to expand upon Eric's question to the list a bit. What
are
some of the common terms/agreements pen-testers should include in their
contracts and why? Examples of how such terms (or lack of) in writing
have
become issues during pen-testing would be interesting to hear.

Erin Carroll
"Do Not Taunt Happy-Fun Ball"

-----Original Message-----
From: evb [mailto:swiver () cox net] 
Sent: Sunday, June 26, 2005 9:13 AM
To: pen-test () securityfocus com
Subject: RE: Sample pent test agreement

Might anyone be kind enough to share with me a sample penetration
testing
agreement (written contract) to use with clients so that I need not
reinvent
the wheel?  Thank you so much.

Eric
tossing_salads () hotmail com

Current thread:

RE: CEH training, (continued)
- - RE: CEH training Richard Zaluski (Jun 22)
    - Re: CEH training D K (Jun 22)
    - Re: CEH training Pete Herzog (Jun 23)
    - RE: CEH training Richard Zaluski (Jun 23)
  - RE: CEH training Torig (Jun 22)
    - RE: CEH training Tim Singletary (Jun 23)
- RE: CEH training glemmon (Jun 24)
  - RE: Sample pent test agreement evb (Jun 26)
    - RE: Sample pent test agreement Erin Carroll (Jun 26)
    - RE: Sample pent test agreement Irene Abezgauz (Jun 26)
    - RE: Sample pent test agreement random (Jun 27)
    - Re: Sample pent test agreement Pete Herzog (Jun 30)
    - RE: Sample pent test agreement Password Crackers, Inc. (Jun 27)
    - Skill set ? prdp (Jun 30)
    - Re: Skill set ? plug (Jun 30)
- RE: CEH training ctowizkid (Jun 24)
  - Re: CEH training Antivirus Taneja (Jun 26)
    - Re: CEH training Abhijayendra Singh (Jun 27)
- RE: CEH training Thomas Brennan (Jun 30)
  - Re: CEH training ctg (Jun 30)
    - RE: CEH training Erin Carroll (Jun 30)