Penetration Testing Indemnity Agreement

Let`s be honest, if you`re busy doing pen tests, you`re kind of “breaking in” into a computer or computer network. Of course, ethical hackers would only seek to enter a system at the request of the system owner or operator or to otherwise test systems with the actual or tacit consent of a person in authority. While we teach in 560 without security, there are four documents that form a solid basis for a penetration test. First, the proposal itself. Second, it is the magnitude. The Scope explains what is being tested, what should not be tested, and which systems/users/services should be treated with special care and love. The rules of engagement define how you should test. This document discusses contact points, schedules and notification trees for critical results. The last, the “Authorization to Test” document, will be processed in an instant. I`m glad you asked. First, it remains within the scope. Second, test your exploits on a lab system before launching an attack.

And third, recording the fact that you tested your attack. To avoid distorting service results, react normally when you detect traces of service activity in target or alert system protocols that monitor target systems, etc., as would be the case with real security penetration. In addition, you agree not to inform the legal or public authorities of the activities that have been established by the Service. This agreement has the initial duration, as defined in your definition reference agreement, unless otherwise stated. In the event that you have previously used or paid a fee for the service or are currently subject to a fee, and it has also been established that your original duration has not been defined in your definition reference agreement or in any other agreement or agreement between you and Pronet, your initial duration is defined as a (1) year after the date of your last payment of fees or your last access or your last access or any other contract between you and Pronet. The duration is automatically extended each year at the end of the initial term and thereafter, unless you notify Pronet in writing at least ninety (90) days before the current period expires that you intend not to renew the agreement. Pronet or a Dealer Certified by Pronet reserves the right to change the Service`s rate at any time. Prices for an extension period are valid at the price set based on the cheapest price in effect on the renewal date.

A pen test chord looks like a simple document. I`m going to test, you`re going to pay. But like any deal, the devil is in the details. Competent and experienced advice will be needed to avoid pitfalls. And like everything else in life, let`s be careful. Pen testing is a valuable way to determine how resistant an organization`s digital infrastructure is to attack from outsiders. What could be better to check the security of a network than to give frightening and intelligent people permission to hack it? GIAC offers penetration test certification (GPEN.) Similarly, IACRB provides certifications in Pen Testing Proficiency (CEPT). The EC Council proposes the approval of the penetration stars (LPT). But in some states, a pencil tester may be required to be a licensed private investigator. Do you think it`s stupid? That`s right. But it can be the law depending on why you`re testing the pin.

If you “collect and analyze electronic records to produce results in court,” you may need an IP license. In one extreme case in Texas, it was found that the company that monitors red lights and lightning has specifically violated the Texas licensing law ft.