Penetration Testing Agreement – Download corrected formatted word document at the bottom
The below text is a sample contract only and does not obligate COMPUTERSECURITY.ORG to perform services under any specified terms or conditions. This contract is for educational purposes only. Only valid signed contracts will be considered binding.
This contract is between COMPUTERSECURITY.ORG (hereinafter referred to as the “provider”) and Penetration Testing Services buyer (hereinafter referred to as the “client”) for the supply of Penetration Testing services by the provider for the client.
Whereas the provider provides certain computer and systems security consulting and testing services including Penetration Testing services, and
Whereas the client wishes to retain the provider to provide computer and systems security services, specifically Penetration Testing services, therefore
The client does hereby retain the provider for the purpose of providing Penetration Testing services on the client’s computers and/or systems.
The objective of the Penetration Testing service is to identify and report on security vulnerabilities to allow the client to close the issues in a planned manner, thus significantly raising the level of their security protection. The client understands that Internet security is a continually growing and changing field and that testing by COMPUTERSECURITY.ORG does not mean that the client’s site is secure from every form of attack. There is no such thing as 100% security testing, and for example it is never possible to test for vulnerabilities in software or systems that are not known at the time of testing or the mathematically complete set of all possible inputs/outputs for each software component in use. Further security breaches can and frequently do come from internal sources whose access is not a function of system configuration and/or external access security issues.
The client has provided the provider with certain required information regarding the scope and range of the tests and the client hereby warrants that all information provided is true and accurate and that the client owns or is authorized to represent the owners of the computers and systems described. The client further warrants and represents that he/she is authorized to enter into binding legal agreements.
The provider has provided a written quote for the services contracted. The client prior to any services being performed by the provider shall make payment for contracted services in full. A copy of the written quote is attached to this contract as Schedule A.
The provider anticipates completion of the quoted services within 28 days of kick-off. Kick-off is defined as the day first day that the provider has received cleared payment in full for all services as well as original signed contracts. Since the services rendered require a kick-off interview and a post-scan review conducted with the client, final schedule outcome is contingent upon client availability. In the event that the services rendered are ongoing, the schedule applies only to the first occurrence of testing with further occurrences to be scheduled individually and/or periodically.
The provider shall be under no liability whatever to the buyer for any indirect loss and/or expense (including loss of profit) suffered by the buyer arising out of a breach by the provider of this contract. In the event of any breach of this contract by the provider the remedies of the buyer shall be limited to a maximum of fees paid by the client.
Both parties shall maintain this contract as confidential. No information about this contract, contract terms, or contract fees shall be released by either party. Information about the client’s business or computer systems or security situation that the provider obtains during the course of it’s work will be released to any third party without prior written approval.
The provider may assign or sub-contract all or any part of its rights and obligations under this contract to third parties without the client’s prior written consent. The provider utilizes a team approach employing experts to test different security aspects. All sub-contractors employed by the provider shall, however, be bound by the terms and conditions of this contract.
The provider and the client have imparted and may from time to time impart to each other certain confidential information relating to each other’s business including specific documentation. Each party agrees that it shall use such confidential information solely for the purposes of the service and that it shall not disclose directly or indirectly to any third party such information either expressed or otherwise. Where disclosure to a third party by either party is essential such party with the agreement of the other party will prior to any such disclosure obtain from any such third party duly binding agreements to maintain in confidence the information to be disclosed to the same extent at least as the parties are bound.
This contract is subject to the laws of the State of Maryland, USA. All disputes arising out of this contract shall be subject to the exclusive jurisdiction of the State of Maryland, USA.
Neither party shall be liable for any default due to any act of God, war, strike, lockout, industrial action, fire, flood, drought, storm or other event beyond the reasonable control of either party.
Download a copy of this document Penetration Testing Contract