What should be included in a penetration test contract?
A penetration test contract should include the following:
- Scope of work: This section outlines the specific tasks the penetration testing team will perform. It also includes the systems and applications to be tested, as well as the testing methods that will be used.
- Service Level Agreement: This section should define the expected service level provided by the penetration testing team, including the anticipated response time for any issues that may arise during the testing process.
- Payment Terms: This section should clearly outline the payment terms for the penetration testing services. It must include the total cost of the testing, along with any additional fees that may be incurred.
- Confidentiality Agreement: This section outlines the confidentiality requirements for the penetration testing team and includes steps the team will take to protect the organization’s sensitive information.
- Key Deliverables: This section should outline the major deliverables that the penetration testing team will provide. It should include a comprehensive list of the reports and other documentation that the team will deliver to the organization.
- Completion Date: This section should specify the expected completion date for the penetration testing services, including both the start and end dates of the testing period.
- Legal requirements: This section should detail the legal obligations that the penetration testing team must adhere to. It should include any relevant regulations the team must comply with, as well as the legal consequences that may arise from non-compliance.
- This section must include signature lines for both parties, the date of contract signing, and their names.
Example of a penetration test contract
Penetration Test Contract
This agreement is made between [Organization Name] and [Penetration Testing Team Name] (the Team) on [Date]. The purpose of this agreement is to outline the terms and conditions for the penetration testing services that will be provided by [Penetration Testing Team Name].
Scope of Work
The penetration testing team will perform a comprehensive security assessment of the organization's information systems. This assessment may include testing the organization's network, applications, and other systems for vulnerabilities. The team may use a variety of testing methods, including penetration testing, vulnerability scanning, and social engineering. The team will provide a detailed report of their findings to the organization. The team will also provide recommendations for improving the organization's security posture. The team will begin the testing on [Date] and will complete the testing on [Date]. The team will provide the organization with regular updates on the progress of the testing. The team will provide the organization with a final report of their findings within [Number] days of completing the testing.
System(s) to be tested: [SYSTEMS]
Penetration Testing Components
Network Scanning
System Profiling
Vulnerability Idenfication
Vulnerability Exploitation
Privilege Escalation
Service Level Agreement
The penetration testing team will provide the organization with a high level of service. The team will respond to any issues that arise during the testing process in a timely manner. The team will provide the organization with regular updates on the progress of the testing. The team will provide the organization with a final report of their findings within [Number] days of completing the testing.
Payment Terms
The organization will pay the penetration testing team a total of [Amount] for the testing services. The organization will pay the team [Amount] upfront and [Amount] upon completion of the testing. The organization will pay any additional fees that may be incurred during the testing process.
Confidentiality Agreement
The penetration testing team will protect the organization's sensitive information. The team will not disclose any information about the organization's systems or applications to any third parties. The team will take all necessary steps to ensure the confidentiality of the organization's information.
Key Deliverables
The Organization will receive the following key deliverables from the penetration testing team:
- A detailed report of the team's findings
- A list of recommendations for improving the organization's security posture
- A list of best practices for maintaining the organization's security posture
- A list of resources for further information on security best practices
Completion Date
The penetration testing team will begin the testing on [Date] and will complete the testing on [Date].
Legal Requirements
The penetration testing team will comply with all legal requirements. The team will follow all regulations that apply to the testing process. The team will take all necessary steps to ensure that the testing is conducted in a legal and ethical manner.
The provider will take reasonable steps to preserve the data integrity and operational status of the systems, but it cannot be guaraneteed. The provider shall be under no liability whatever to the buyer for any indirect loss and/or expense (including loss of profit) suffered by the buyer arising out of a breach by the provider of this contract.
Both parties shall maintain this contract as confidential. No information about this contract, contract terms, or contract fees shall be released by either party. Information about the client's business or computer systems or security situation that the provider obtains during the course of its work will not be released to any third pary without prior written approval.
The provider and the client have imparted and may from time to time impart to each other certain confidential information relating to each other's business including specific documentation. Each party agrees that it shall use such confidential information soley for the purpose of the service and that it shall not disclose directly or indirectly to any third party such information either expressed or otherwise. Where disclosure to a third party by either party is essential such party with the agreement of the other party will prior to any such disclosure obtain from any such third party duly binding agreements to maintain in confidence the information to be disclosed to the same extent at least as the parties are bound.
Neither party shall be liable for any default due to any act of God, war, strike, lockout, industrial action, fire, flood,, drought, storm, or other event beyond the reasonalb eonctrol of either party.
This contract is subject to the laws of the State of Texas.
Signature
[Organization Name] [Date]
[Penetration Testing Team Name] [Date]An example of a Security Assessment Agreement
SECURITY ASSESSMENT AGREEMENT
This [COMPANY] Security Assessment Agreement (the “Agreement”) shall only apply to products and services that are ordered by Customer and made available online by [COMPANY] or its Affiliates (“Services”). As of the Effective Date of this Agreement, an Assessment may only be performed on the Services (and associated mobile applications made available by [COMPANY] in connection with the foregoing).
The parties agree as follows:
1. Permission to Perform a Security Assessment.
This Agreement shall only apply to products and services that are ordered by Customer and made available online by [COMPANY] or its Affiliates (“Services”).  “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
Solely in accordance with the terms of this Agreement, [COMPANY] grants Customer permission to perform a web application security assessment of an applicable Service and/or non-intrusive network testing of domain URLs, in each case as directly connected to Customer’s Account (each, an “Assessment”).       
Customer may conduct the Assessment using a combination of commercial off-the-shelf tools along with manual inspection (e.g. hidden fields examination, etc.) to examine the level of protection of the applicable Customer Account, and/or using penetration, intrusion, and/or analysis services using intrusive or passive techniques and software tools, subject to any policies or procedures outlined herein or related Security Assessment documentation.  The results of all Assessments shall only be included in a Report which shall be prepared in accordance with this Agreement. [COMPANY] reserves the right to establish product-specific testing blackout windows as needed. 
2. Restrictions.
a. The Assessment will be subject to the following restrictions:
b. Customer shall not access, retrieve, transfer, download, or modify (collectively, “Access”) any data other than data residing on Customer’s Account(s) being tested hereunder. In the event that Customer Accesses any data other than data residing on Customer’s Account(s) being tested here under, Customer shall immediately report this via an email to [COMPANY EMAIL] and [COMPANY] reserves the right to discontinue the Assessment.
c. Customer may not subcontract, assign, or transfer any rights or obligations granted under this Agreement without the prior written approval of [COMPANY]. If Customer uses a third party to do the Assessment, the third party must be subject to confidentiality and security obligations no less restrictive than those applicable to Customer. Customer shall ensure any such third party complies with all requirements related to the Assessment under this Agreement, and shall be primarily and fully responsible for all actions or omissions of such third party in any way related to such Assessment.
3. Third Party Hosting Provider Related Assessments. In the event Customer’s Assessment relates to a Service that utilizes a third party hosting provider for Customer Data Storage, Customer agrees to comply with the applicable requirements of such third party hosting provider (including but not limited to requirements stated at (i) https://aws.amazon.com/security/penetration-testing/, (ii) https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement and (iii) https://cloud.google.com/security/overview/).
4. Discontinuance of Assessment. Upon [COMPANY]’s request, Customer shall immediately discontinue any Assessment, which in [COMPANY]’s sole judgment and sole discretion disrupts, degrades, or otherwise is harmful in any manner to [COMPANY]’s service. [COMPANY], in its sole discretion for business sustainability or service protection may block or cause a forced disconnect of any Customer Assessment access.
5. Reports. Promptly following the completion of the Assessment, Customer shall email [COMPANY EMAIL] a written report containing the information generated from the Assessment, including without limitation, the information listed in Exhibit A (“Reporting Requirements”). Customer agrees to strictly maintain the confidentiality of this Report per the terms of this Agreement and shall not disclose the Report to any individual or entity other than its employees on a need‐to‐know basis. Customer agrees to report all vulnerabilities classified as “High” in the Report immediately.
6. Confidentiality. Customer agrees to regard and preserve as confidential all information related to the technology, business and activities of [COMPANY] and its customers, clients, suppliers and other entities, and all information and data discovered by Customer in performing the Assessment, including without limitation, any Reports generated therefrom (“Confidential Information”). Confidential Information shall also include any information a reasonable person would consider confidential. Customer agrees to hold such Confidential Information in trust and confidence for [COMPANY] and not to disclose such Confidential Information to any person, firm or enterprise, or use (directly or indirectly) any such Confidential Information for its own benefit or the benefit of any other party, unless authorized by [COMPANY] in writing, and even then, to limit access to and disclosure of such Confidential Information to such [COMPANY]‐approved party’s employees on a “need to know” basis only. Confidential Information shall not be considered confidential to the extent, but only to the extent, that such Confidential Information is: (i) already known to the receiving party free of any restriction at the time it is obtained from the other party; (ii) subsequently learned from an independent third party free of any restriction and without breach of this Agreement or such independent third party’s agreement with [COMPANY]; or (iii) is or becomes publicly available through no wrongful act of either party. To the extent any Confidential Information is required to be disclosed pursuant to a requirement of a governmental agency, regulator or law, Customer shall provide, to the extent legally permitted, [COMPANY] with timely advance written notice of such requirements to allow [COMPANY] to contest such disclosure, and shall only disclose the Confidential Information required by law to be disclosed. In such event Customer shall cooperate with [COMPANY]’s efforts to maintain the confidentiality of such Confidential Information and to so limit such disclosure.
7. Customer Responsibilities. Customer will perform all Assessments in a competent and professional manner, using personnel who have the proper skill, qualifications, training and background to perform the Assessment in the manner specified herein. Customer shall make reasonable efforts to validate all findings prior to reporting. Customer shall not infringe upon or violate the rights of any third party in performing the Assessment or preparing any Reports under this Agreement. Customer agrees to provide [COMPANY] with any information related to the manner of Assessment, including without limitation any ideas, methods processes or techniques, and [COMPANY] shall have a right to use such information without restriction, liability or obligation, except as may be expressly specified herein.
8. [COMPANY] Services. Any production or commercial use of [COMPANY] products and services will be governed by a separate subscription agreement between [COMPANY] and Customer. Nothing in this Agreement shall be construed to mean that any Assessment performed shall constitute a certification or warranty that [COMPANY]’s services and systems are secure.
9. Indemnification. Customer shall indemnify [COMPANY] from and against any and all judgments, costs, awards, losses, expenses (including reasonable attorneys’ fees) and liability of any kind arising out of any failure of Customer (or any third party acting on Customer’s behalf) to: (i) comply with the terms of this Agreement relating to the Assessment; (ii) abide by [COMPANY]’s instructions in conducting the Assessment; and (iii) cease the Assessment upon [COMPANY]’s request.
10. Disruption. Customer agrees that [COMPANY] shall not have any liability arising out of or related to delays, failures or other deficiencies in the performance of the Services if and to the extent that they are caused by an Assessment.
11. [COMPANY] Security Team. To the extent that Customer has any questions regarding the Assessment results, Customer shall first consult the Resources noted in Exhibit A (“Resources”). If the answer or explanation to the Customer’s question is not contained in the Resources, Customer may request assistance by sending an email to [COMPANY EMAIL], which includes a written report containing the information generated from the Assessment, including without limitation, the information listed in Exhibit A (“Reporting Requirements”). In no event will [COMPANY] provide feedback to Customer in relation to any application or custom code developed by Customer for use in connection with the [COMPANY] services. Customer acknowledges and agrees that [COMPANY] has no obligation to comment on any Reports generated from, or questions regarding, the Customer’s Assessment, and that [COMPANY]’s answering of any such questions as set forth above or otherwise is at [COMPANY]’s sole discretion as an accommodation, and that Customer is solely responsible for the interpretation of any Assessment Reports and results.
12. Governing Law. This Agreement shall be construed and enforced under the internal substantive laws of the State of California. The state and federal courts located in San Francisco County, California will have exclusive jurisdiction over any dispute relating to this Agreement, and each party consents to the exclusive jurisdiction of those courts. If any provision of this Agreement is held invalid, illegal or unenforceable, the remaining provisions will continue unimpaired
13. Equitable Relief. A breach of any of the promises or agreements contained herein will result in irreparable and continuing damage to [COMPANY] for which there will be no adequate remedy at law, and [COMPANY] shall be entitled to injunctive relief and/or a decree for specific performance, and such other relief as may be proper (including monetary damages if appropriate).
14. Term of Agreement. This Agreement will expire upon the expiration of the Main Services Agreement between the parties, or if no such Main Services Agreement exists between the parties within 60 days after the Effective Date of this Agreement, then upon the completion of the initial Assessment period. Upon expiration, Customer’s permissions under this Agreement shall cease. Sections 5 through 13 shall survive termination of this Agreement.
15. No Third Party Beneficiaries. This Agreement is for the sole and exclusive benefit of the parties hereto and their respective successors and permitted assigns. The parties do not intend to create any third party beneficiaries or other incidental beneficiaries and nothing herein, express or implied, is intended to or shall confer upon any other person any legal or equitable right, benefit or remedy of any nature whatsoever under or by reason of this Agreement.
EXHIBIT A 
Reporting Requirements 
1. “Report” means a report containing: a findings section aimed at technical staff, detailing the following information for each vulnerability found as part of the penetration efforts:
a. Summary of all findings and associated severity level of each finding.
b. Detail assessment report noting each finding.
c. Definitively demonstrate how to reproduce the vulnerability.
d. Provide applicable HTTP requests/responses.
e. Notation as to why this example is believed to be a finding
Any use of proprietary and/or commercial vulnerability scanning tools will be documented and raw results provided in addition to the summary in the format listed above. Raw data alone, absent an organized summary of findings, is not an acceptable report.
 
				 
 