Penetration Testing mailing list archives
Re: Sample pent test agreement
From: Pete Herzog <lists () isecom org>
Date: Mon, 27 Jun 2005 17:59:19 +0200
I recomend a contract that covers the following and is agreed and signed by both parties: Non-disclosure - to the level you are both comfortable with. In some cases, it may be important that they do not share the test report or this contract itself outside of their own organization. Be sure to include the requirement for confidentiality safeguard on both parties (GPG for example) for limited liability. Non-compete - if the organization is of the business or nature to deconstruct and re-engineer your testing practice to Limited liability - a good rule of thumb is to limit liability to the cost of the engagement. This includes everything from down time to repairs. I also recommend seperately signed pages each excusing you from very limited liability (10% of cost of engagement) while conducting Social Engineering (possible employee lawsuits) or Denial of Service testing (with the clear indication that no bandwidth flooding from the internet will be performed). Responsibilities of the client - everything from scope info, e-mail acounts, network access to the names of emergency contacts can be listed here. Ensure that the client knows that he/she is responsible for contacting any and all related 3rd parties in the necessity of the test (ISP, partners using the extranet, partners in general whose contractors are on sight and may fall victim to attacks, S.E. etc.). Do you want the client to be clear on IDS/IPS or Honeynets so as not to waste your time and client's money (see Time and scope limitations below for this)? Responsibilities of the tester - everything from project delivery dates (such as 3 weeks from start date), ip range where tests will come from, scheduled weekly meetings, other contact reasons like when you find an intruder, to emergency contacts. Statement of Work - describe what you will do (somewhat generally is fine but do include penetration depth, test perspectives, and similar) and exact dates for deliveries in some cases. It's also good to present what expectations the client can have regarding the report and the info it from full color 3D maps to video footage of physical entry). And a tough one but sometimes required: Time and Scope limitations liability - you are not liable for problems which arise outside of the scope which was not defined or testing which was not be conducted before the time limitation set in this contract expired. You may have to limit this exception to finalize after the first 50% of the time defined in the contract has expired. In simpler terms, if you fail to announce a required change in scope or time OR the client refuses to pay a fair and consistent rate for the inclusion of this additional scope/time within the first 50% of the the time the original contracted has expired, then you do have limited liability. Since I did this off the top of my head, I may have left stuff out. But it's a good start along with some of the other things you've read in the list so far. -pete. -- Pete Herzog - Managing Director - pete () isecom org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org ------------------------------------------------------------------- ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority. random wrote:
I agree completely with Irene. But we do find that some of our larger customers want to negotiate this point. In that case it is a good idea to limit you liability to a specified dollar amount like $50K or so. We are also required to provide proof on insurance in many cases. -----Original Message----- From: Irene Abezgauz [mailto:irene.abezgauz () gmail com] Sent: Sunday, June 26, 2005 5:28 PM To: 'Erin Carroll' Cc: pen-test () securityfocus com Subject: RE: Sample pent test agreement Hey, Liability, liability, and once again, liability. You are not liable if they get hacked afterwards. You can't guarantee anything (zero day, blackbox, etc.) You are not liable for any damages. (but you could still theoretically get sued so I'd get good insurance coverage for that) Then, you need their well written and detailed consent to have you do things to their systems so nobody accuses you of breaking in. Another important issue is the scope of the test, so you don't agree on a fixed price which covers about 2 applications (or servers), and then get introduced to their mega server/application farm... or simply so there are no misunderstandings. These are the most important things, hope I didn't miss anything. Irene Irene Abezgauz Application Security Consultant Hacktics Ltd. Mobile: +972-54-6545405 Web: www.hacktics.com -----Original Message----- From: Erin Carroll [mailto:amoeba () amoebazone com] Sent: Sunday, June 26, 2005 6:37 PM To: 'evb'; pen-test () securityfocus com Subject: RE: Sample pent test agreement Everyone, Actually I'd like to expand upon Eric's question to the list a bit. What are some of the common terms/agreements pen-testers should include in their contracts and why? Examples of how such terms (or lack of) in writing have become issues during pen-testing would be interesting to hear. Erin Carroll "Do Not Taunt Happy-Fun Ball" -----Original Message----- From: evb [mailto:swiver () cox net] Sent: Sunday, June 26, 2005 9:13 AM To: pen-test () securityfocus com Subject: RE: Sample pent test agreement Might anyone be kind enough to share with me a sample penetration testing agreement (written contract) to use with clients so that I need not reinvent the wheel? Thank you so much. Eric tossing_salads () hotmail com
Current thread:
- Re: CEH training, (continued)
- Re: CEH training D K (Jun 22)
- Re: CEH training Pete Herzog (Jun 23)
- RE: CEH training Richard Zaluski (Jun 23)
- RE: CEH training Torig (Jun 22)
- RE: CEH training Tim Singletary (Jun 23)
- RE: CEH training glemmon (Jun 24)
- RE: Sample pent test agreement evb (Jun 26)
- RE: Sample pent test agreement Erin Carroll (Jun 26)
- RE: Sample pent test agreement Irene Abezgauz (Jun 26)
- RE: Sample pent test agreement random (Jun 27)
- Re: Sample pent test agreement Pete Herzog (Jun 30)
- RE: Sample pent test agreement evb (Jun 26)
- RE: Sample pent test agreement Password Crackers, Inc. (Jun 27)
- Skill set ? prdp (Jun 30)
- Re: Skill set ? plug (Jun 30)
- Re: CEH training Antivirus Taneja (Jun 26)
- Re: CEH training Abhijayendra Singh (Jun 27)
- Re: CEH training ctg (Jun 30)
- RE: CEH training Erin Carroll (Jun 30)