|
Title: My first offical pentest - Writing contract Post by: pwned on March 08, 2011, 11:39:56 AM I'm about to do my first offical pentest in 2 days and is working on a contract that gives me permissions to do the test and so on.
But since I havn't worked by contract before I would like a nudge in the right direction when it comes to the contracting-part. Bottomline on the test: A company that offers hosting and webdesign is in the need of a pentest on their webplatform which include sites designed and coded by them that is hosted on their server. So basically I will do a "full" pentest, excluding password-attacks and DoS-attacks. The only thing I get down in the contract so far is: - The company permits me, under a period of time, conduct the pentest. - All information and results are confidential. - As a result of the test, a presentation with the admin which include fixes. - The test will be conducted within the companies network. I know that I'm missing ALOT but I would really need someone to nudge me in the right direction. Title: Re: My first offical pentest - Writing contract Post by: hell_razor on March 08, 2011, 12:08:52 PM You should probably try to include an indemnity clause for any downtime, damage to their systems, etc., as part of the permission section. They may decline it (all contracts are negotiable and should be treated by both parties as such), but try.
Title: Re: My first offical pentest - Writing contract Post by: Equix3n- on March 08, 2011, 10:25:11 PM Perhaps this might help you
http://www.pentest-standard.org/index.php/Pre-engagement Title: Re: My first offical pentest - Writing contract Post by: ajohnson on March 11, 2011, 07:03:11 PM I'd be terrified to do a pen test with a contract I wrote. I hope this went / is going well for you. You should seriously have a lawyer who is familiar with these types of services write the contracts for you. Have you purchased insurance?
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |