Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Sample pent test agreement
From: Pete Herzog <lists () isecom org>
Date: Mon, 27 Jun 2005 17:59:19 +0200

I recomend a contract that covers the following and is agreed and signed
by both parties:

Non-disclosure - to the level you are both comfortable with.  In some
cases, it may be important that they do not share the test report or
this contract itself outside of their own organization. Be sure to
include the requirement for confidentiality safeguard on both parties
(GPG for example) for limited liability.

Non-compete - if the organization is of the business or nature to
deconstruct and re-engineer your testing practice to

Limited liability - a good rule of thumb is to limit liability to the
cost of the engagement.  This includes everything from down time to
repairs.  I also recommend seperately signed pages each excusing you
from very limited liability (10% of cost of engagement) while conducting
Social Engineering (possible employee lawsuits) or Denial of Service
testing (with the clear indication that no bandwidth flooding from the
internet will be performed).

Responsibilities of the client - everything from scope info, e-mail
acounts, network access to the names of emergency contacts can be listed
here.  Ensure that the client knows that he/she is responsible for
contacting any and all related 3rd parties in the necessity of the test
(ISP, partners using the extranet, partners in general whose contractors
are on sight and may fall victim to attacks, S.E. etc.).  Do you want
the client to be clear on IDS/IPS or Honeynets so as not to waste your
time and client's money (see Time and scope limitations below for this)?

Responsibilities of the tester - everything from project delivery dates
(such as 3 weeks from start date), ip range where tests will come from,
scheduled weekly meetings, other contact reasons like when you find an
intruder, to emergency contacts.

Statement of Work - describe what you will do (somewhat generally is
fine but do include penetration depth, test perspectives, and similar)
and exact dates for deliveries in some cases.  It's also good to present
what expectations the client can have regarding the report and the info
it from full color 3D maps to video footage of physical entry).

And a tough one but sometimes required:
Time and Scope limitations liability - you are not liable for problems
which arise outside of the scope which was not defined or testing which
was not be conducted before the time limitation set in this contract
expired.  You may have to limit this exception to finalize after the
first 50% of the time defined in the contract has expired.  In simpler
terms, if you fail to announce a required change in scope or time OR the
client refuses to pay a fair and consistent rate for the inclusion of
this additional scope/time within the first 50% of the the time the
original contracted has expired, then you do have limited liability.

Since I did this off the top of my head, I may have left stuff out.  But
it's a good start along with some of the other things you've read in the
list so far.


Pete Herzog - Managing Director - pete () isecom org 
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool 
Teacher certification authority. 

random wrote:

I agree completely with Irene. But we do find that some of our larger
customers want to negotiate this point. In that case it is a good idea to
limit you liability to a specified dollar amount like $50K or so. We are
also required to provide proof on insurance in many cases.

-----Original Message-----
From: Irene Abezgauz [mailto:irene.abezgauz () gmail com] 
Sent: Sunday, June 26, 2005 5:28 PM
To: 'Erin Carroll'
Cc: pen-test () securityfocus com
Subject: RE: Sample pent test agreement


Liability, liability, and once again, liability.
You are not liable if they get hacked afterwards. You can't guarantee
anything (zero day, blackbox, etc.)
You are not liable for any damages. (but you could still theoretically
get sued so I'd get good insurance coverage for that)
Then, you need their well written and detailed consent to have you do
things to their systems so nobody accuses you of breaking in.
Another important issue is the scope of the test, so you don't agree on
a fixed price which covers about 2 applications (or servers), and then
get introduced to their mega server/application farm... or simply so
there are no misunderstandings.

These are the most important things, hope I didn't miss anything.


Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com

-----Original Message-----
From: Erin Carroll [mailto:amoeba () amoebazone com] 
Sent: Sunday, June 26, 2005 6:37 PM
To: 'evb'; pen-test () securityfocus com
Subject: RE: Sample pent test agreement


Actually I'd like to expand upon Eric's question to the list a bit. What
some of the common terms/agreements pen-testers should include in their
contracts and why? Examples of how such terms (or lack of) in writing
become issues during pen-testing would be interesting to hear.

Erin Carroll
"Do Not Taunt Happy-Fun Ball"

-----Original Message-----
From: evb [mailto:swiver () cox net] 
Sent: Sunday, June 26, 2005 9:13 AM
To: pen-test () securityfocus com
Subject: RE: Sample pent test agreement

Might anyone be kind enough to share with me a sample penetration
agreement (written contract) to use with clients so that I need not
the wheel?  Thank you so much.

tossing_salads () hotmail com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]