RE: Sample pent test agreement

From: random (random@digitalstakeout.com)
Date: Mon Jun 27 2005 - 09:12:21 EDT

• Next message: Password Crackers, Inc.: "RE: Sample pent test agreement"
• Previous message: sfml@gomor.org: "Re: extracting passwords from ethereal dump"
• In reply to: Irene Abezgauz: "RE: Sample pent test agreement"
• Next in thread: Pete Herzog: "Re: Sample pent test agreement"
• Reply: Pete Herzog: "Re: Sample pent test agreement"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I agree completely with Irene. But we do find that some of our larger
customers want to negotiate this point. In that case it is a good idea to
limit you liability to a specified dollar amount like $50K or so. We are
also required to provide proof on insurance in many cases.

-----Original Message-----
From: Irene Abezgauz [mailto:irene.abezgauz@gmail.com]
Sent: Sunday, June 26, 2005 5:28 PM
To: 'Erin Carroll'
Cc: pen-test@securityfocus.com
Subject: RE: Sample pent test agreement

Hey,

Liability, liability, and once again, liability.
You are not liable if they get hacked afterwards. You can't guarantee
anything (zero day, blackbox, etc.)
You are not liable for any damages. (but you could still theoretically
get sued so I'd get good insurance coverage for that)
Then, you need their well written and detailed consent to have you do
things to their systems so nobody accuses you of breaking in.
Another important issue is the scope of the test, so you don't agree on
a fixed price which covers about 2 applications (or servers), and then
get introduced to their mega server/application farm... or simply so
there are no misunderstandings.

These are the most important things, hope I didn't miss anything.

Irene

Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com

-----Original Message-----
From: Erin Carroll [mailto:amoeba@amoebazone.com]
Sent: Sunday, June 26, 2005 6:37 PM
To: 'evb'; pen-test@securityfocus.com
Subject: RE: Sample pent test agreement

Everyone,

Actually I'd like to expand upon Eric's question to the list a bit. What
are
some of the common terms/agreements pen-testers should include in their
contracts and why? Examples of how such terms (or lack of) in writing
have
become issues during pen-testing would be interesting to hear.

Erin Carroll
"Do Not Taunt Happy-Fun Ball"

-----Original Message-----
From: evb [mailto:swiver@cox.net]
Sent: Sunday, June 26, 2005 9:13 AM
To: pen-test@securityfocus.com
Subject: RE: Sample pent test agreement

Might anyone be kind enough to share with me a sample penetration
testing
agreement (written contract) to use with clients so that I need not
reinvent
the wheel? Thank you so much.

Eric
tossing_salads@hotmail.com

• Next message: Password Crackers, Inc.: "RE: Sample pent test agreement"
• Previous message: sfml@gomor.org: "Re: extracting passwords from ethereal dump"
• In reply to: Irene Abezgauz: "RE: Sample pent test agreement"
• Next in thread: Pete Herzog: "Re: Sample pent test agreement"
• Reply: Pete Herzog: "Re: Sample pent test agreement"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:30 EDT