Vulnerability Testing Agreement

Vulnerability testing needs to proceed only with a complete understanding from both parties about what is going to happen. A live system needs to be tested very cautiously to prevent users being inconvenienced. If a standalone test system can be arranged, then a more aggressive approach may be used. Either way, agreement needs to be confirmed in writing before testing can commence.

I have a standard terms and conditions document that sets out a few ground rules for my testing services. I don't make this publicly available, but any potential client can ask for a copy for perusal. Basically, it says:

• All information I have about the client's system, both given to me and that I find, will be treated in strictest confidence.
• I'll conduct my testing as agreed, in time slots as agreed, using methods and techniques as agreed.
• The client's system is going to be attacked in a hostile, albeit controlled, way. I make every effort to ensure no damage is done, but the whole point is that I'm trying to break it. I can't be held liable if there is permanent damage or data loss. It's the client's responsibility to take backups, etc.
• Just because the client's system has been tested, that doesn't mean it's immune to attack.

Once the terms are agreed, the Client completes my "specification" document which details the systems, servers, IP addresses and so on which are to be tested, a technical contact I can call should I crash a system, and so on. I need this information signed off (digitally or with old fashioned ink) before I can proceed.

Note that my agreement documents are generic, and will sometimes need to be modified for a particular test. I'm happy to consider and make such modifications as necessary.