Penetration test scope-of-work + rules-of-engagement template

# Penetration Test Scope-of-Work + Rules-of-Engagement
**Engagement:** {{COMPANY}} × {{TESTING_FIRM}} · **Period:** {{START_DATE}} to {{END_DATE}}

## 1. Scope
### In-scope assets
- **Production web application:** https://{{DOMAIN}} (entire surface)
- **Production API:** https://api.{{DOMAIN}}
- **Mobile apps:** {{IOS_BUNDLE_ID}}, {{ANDROID_PACKAGE_NAME}}
- **Authentication endpoints:** /login, /signup, /reset-password, /oauth-callback
- **Customer dashboard:** authenticated /app/* surface

### Out-of-scope (do NOT test)
- {{COMPANY}} marketing site (https://{{COMPANY}}.com — no business logic)
- Third-party services (Stripe, Auth0, etc.) — coordinate with their bug bounty programs
- Physical premises + employee social engineering
- {{COMPANY}}'s {{SUB_PROCESSOR}} — has its own pentest cadence

## 2. Methodology
- OWASP WSTG (Web Security Testing Guide) v4.2
- OWASP MSTG (Mobile Security Testing Guide) v1.7 for mobile
- OWASP API Security Top 10 (2023)
- NIST SP 800-115 for general methodology

## 3. Test types
- ☑ Black-box (no internal information)
- ☑ Authenticated (test credentials provided)
- ☐ White-box (source code review) — separate engagement
- ☑ Network (in-scope IPs)
- ☐ Physical
- ☐ Wireless
- ☐ Social engineering

## 4. Rules of engagement
- **Target traffic cap:** 10 RPS aggregate; do not stress-test
- **Time window:** business hours {{TIMEZONE}}, 9am-6pm Mon-Fri
- **Test accounts:** {{TESTING_FIRM}} uses provided test accounts only; never live customer accounts
- **DoS testing:** prohibited
- **Destructive payloads:** prohibited (no DROP TABLE, no rm -rf, no data deletion)
- **Discovered customer data:** must NOT exfiltrate; report finding only
- **Discovered active attacker:** stop testing immediately; notify {{INCIDENT_CONTACT}} within 1h
- **Out-of-band emergency contact:** {{EMERGENCY_PHONE}} (24/7 SEV1 line)

## 5. Test accounts
- Tester 1: {{TESTER_1_EMAIL}} — role: standard user, tenant A
- Tester 2: {{TESTER_2_EMAIL}} — role: admin, tenant A
- Tester 3: {{TESTER_3_EMAIL}} — role: standard user, tenant B
- Test data: synthetic only; safe to manipulate

## 6. Communication
- Daily standup: {{DAILY_STANDUP_TIME}}
- Escalation: SEV1 finding within 1h; SEV2 within 4h; SEV3 in final report
- Channel: {{SLACK_OR_EMAIL_THREAD}}

## 7. Deliverables
- Final report within 7 days of testing end
- Executive summary (1-2 pages, non-technical)
- Detailed technical findings with PoC, impact, remediation
- CVSS score per finding
- Tester-side replication steps

## 8. Severity rubric
| Severity | Definition | Response SLA |
|---|---|---|
| Critical | RCE, full data exfiltration, full account takeover | Patch + verify within 48h |
| High | Privilege escalation, partial data exfiltration | Patch within 7 days |
| Medium | Partial info disclosure, weak auth | Patch within 30 days |
| Low | Verbose error message, etc. | Plan within 90 days |

## 9. Re-test
- {{COMPANY}} requests re-test within 90 days of patch deployment for Critical + High findings
- Re-test scope limited to verifying findings are resolved (not new finding hunt)
- {{TESTING_FIRM}} provides clean re-test report

## 10. Confidentiality
- Findings shared only between {{COMPANY}} + {{TESTING_FIRM}} during engagement
- Public disclosure only after coordinated date + with {{COMPANY}} approval
- {{TESTING_FIRM}} retains findings under NDA for 12 months for case-study purposes (anonymized)

## 11. Liability
- {{TESTING_FIRM}} maintains errors-and-omissions insurance USD {{E_AND_O_LIMIT}}
- Hold-harmless clause for unintended impact within scope

## 12. Sign-off
- {{COMPANY}}: {{NAME}}, {{ROLE}}, signed {{DATE}}
- {{TESTING_FIRM}}: {{NAME}}, {{ROLE}}, signed {{DATE}}