Business model for penetration testing and vulnerability finding

From: Gleb Paharenko (gpaharenko@gmail.com)
Date: Fri Nov 30 2007 - 14:54:52 EST


Hi all.

Please, can members of security consulting firms share their
experience about business model (set of their servises).

What should be agreen between client and tester before the beginning of work (
 - what is vulnerability
 - what is compomise of the system
 - perhaps others).

Do it really nessesarry to sign some documents, so later the owner of
the site you have test do not call you to the court for hacking.

Is somebody have experience of getting money for founded
vulnerabilites (perhaps white an black box testing can have different
price). Do you have different rates for different kinds of issues (one
price for XSS, another for CSRF, etc.).

I'm appresiate every thought on this subject.

-- 
Best regards.
Gleb Pakharenko.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:14 EDT