Before testing any system, it's crucial to have a clear agreement with the client about what will be tested, how, and why. This prevents misunderstandings and ensures that the test's scope, timeline, communication methods, and legal boundaries are clearly defined from the start. If the system being tested belongs to a third party, you'll also need written permission from them before proceeding.

Getting written permission isn't just a formality — it's a must. The client needs to fully understand that testing may reveal sensitive information and explicitly authorize access to it. It's also vital to set boundaries: for example, taking unauthorized steps beyond the defined scope or accessing third-party systems is not allowed — even if a vulnerability makes it technically possible.

A good contract protects both sides. It ensures ethical conduct, legal clarity, and mutual trust. That's why before any testing begins, everything is laid out in a formal agreement — and signed by both parties.

Penetration Testing Agreement

PARTIES

Client: Da Vivian Code, represented by Vivian C.

Penetration Tester: You, the best white-hat hacker in the making.

OBJECTIVE

The purpose of this agreement is to authorize the Tester to conduct a penetration test on the Da Vivian Code infrastructure to identify security vulnerabilities that could be exploited by malicious attackers. The goal is to improve the overall security of the system.

SCOPE

The following assets and systems are within the scope of this penetration test:

The Da Vivian Code web server and associated web site.
User accounts, configurations, and potential access control flaws.
Identification and controlled exploitation of security weaknesses.

Out of scope:

Any infrastructure, devices, or networks outside Da Vivian Code.
Attacks that may result in data loss, permanent system modifications, or downtime.
Creation of persistent access methods (e.g. installing backdoors, reverse shells, or hidden users).

RULES

Testing must be conducted ethically and with minimal disruption to the system.
No malware, ransomware, or intentionally destructive actions.
Denial of Service (DoS) attacks are strictly prohibited.
Access is limited to vulnerabilities discovered within the defined scope.
No data may be deleted during testing.
No permanent modifications may be made to the system.
All findings must be reported promptly and confidentially to the client.

RESPONSIBILITIES

The customer is aware that sensitive information may be found during testing.
The Tester agrees to maintain confidentiality regarding any vulnerabilities found.
The Tester will document all findings in a detailed penetration testing report upon completion of the test.

LIABILITY

The Tester cannot be held responsible for any unexpected disruptions to the system as long as they follow the agreed-upon rules. The Client understands that penetration testing always involves some risks and agrees not to take legal action against the Tester for any activities that have been authorized in this agreement.

DURATION

This agreement is valid from the moment of acceptance and remains in effect until the final penetration test report is submitted.

By clicking "I AGREE", you confirm that you understand and accept these terms.

Hack the System, Not the Law

Always Get Permission First

Penetration Testing Agreement