Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Sample pent test agreement

from [random] Network Security [Permanent Link]
Subject: RE: Sample pent test agreement
Date: Mon, 27 Jun 2005 09:12:21 -0400 
I agree completely with Irene. But we do find that some of our larger
customers want to negotiate this point. In that case it is a good idea to
limit you liability to a specified dollar amount like $50K or so. We are
also required to provide proof on insurance in many cases.


-----Original Message-----
From: Irene Abezgauz [mailto:irene.abezgauz@gmail.com] 
Sent: Sunday, June 26, 2005 5:28 PM
To: 'Erin Carroll'
Cc: pen-test@securityfocus.com
Subject: RE: Sample pent test agreement

Hey, 

Liability, liability, and once again, liability.
You are not liable if they get hacked afterwards. You can't guarantee
anything (zero day, blackbox, etc.)
You are not liable for any damages. (but you could still theoretically
get sued so I'd get good insurance coverage for that)
Then, you need their well written and detailed consent to have you do
things to their systems so nobody accuses you of breaking in.
Another important issue is the scope of the test, so you don't agree on
a fixed price which covers about 2 applications (or servers), and then
get introduced to their mega server/application farm... or simply so
there are no misunderstandings.

These are the most important things, hope I didn't miss anything.

Irene




Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com


-----Original Message-----
From: Erin Carroll [mailto:amoeba@amoebazone.com] 
Sent: Sunday, June 26, 2005 6:37 PM
To: 'evb'; pen-test@securityfocus.com
Subject: RE: Sample pent test agreement

Everyone,

Actually I'd like to expand upon Eric's question to the list a bit. What
are
some of the common terms/agreements pen-testers should include in their
contracts and why? Examples of how such terms (or lack of) in writing
have
become issues during pen-testing would be interesting to hear.

Erin Carroll
"Do Not Taunt Happy-Fun Ball"



-----Original Message-----
From: evb [mailto:swiver@cox.net] 
Sent: Sunday, June 26, 2005 9:13 AM
To: pen-test@securityfocus.com
Subject: RE: Sample pent test agreement

Might anyone be kind enough to share with me a sample penetration
testing
agreement (written contract) to use with clients so that I need not
reinvent
the wheel?  Thank you so much.

Eric
tossing_salads@hotmail.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: extracting passwords from ethereal dump, sfml
Next by Date:  RE: Sample pent test agreement, Password Crackers, Inc.
Previous by Thread:  RE: Sample pent test agreement, Irene Abezgauz
Next by Thread:  RE: Sample pent test agreement, Password Crackers, Inc.
Indexes:  [Date] [Thread] [Top] [All Lists]