SECURITY ENGAGEMENT
AGREEMENT

The Client authorizes PM::OFFSEC to perform the following security testing activities, limited strictly to systems and assets explicitly listed in Section 9 (Target Scope) of this agreement:

• Network Penetration Testing: Port scanning, service enumeration, vulnerability identification, and exploitation of authorized network infrastructure.
• Web Application Security Testing: OWASP Top 10 assessment, injection testing, authentication bypass attempts, session management analysis, and API security review.
• System Security Assessment: Operating system configuration review, privilege escalation testing, patch level assessment, and security misconfiguration identification.
• Social Engineering (if explicitly authorized): Phishing simulation, pretexting, and physical security assessment — only if checked and initialed in the scope section.
• OSINT & Reconnaissance: Open-source intelligence gathering on authorized domains and IP ranges using publicly available information.
• Wireless Security Testing (if explicitly authorized): Only if physical access and explicit written authorization are provided separately.

All information obtained during this engagement is strictly confidential and governed by the following protections:

• Non-Disclosure: PM::OFFSEC agrees to maintain strict confidentiality of all discovered vulnerabilities, system information, credentials, and business data. Information will not be shared with any third party without explicit written consent.
• Data Minimization: Only the minimum data necessary to demonstrate vulnerabilities will be accessed. No production data will be exfiltrated, stored, or retained beyond the engagement period.
• HIPAA Compliance (if applicable): If testing systems that process Protected Health Information (PHI), PM::OFFSEC agrees to comply with HIPAA Security Rule 45 CFR § 164.306 and sign a Business Associate Agreement (BAA) as required.
• PCI DSS (if applicable): For systems in scope of PCI DSS, testing will be conducted in accordance with PCI DSS Requirement 11.3 and results will be handled as Level 1 confidential data.
• Report Retention: Final reports will be delivered securely via encrypted channels. PM::OFFSEC will retain a copy for professional records for 2 years, after which it will be securely destroyed.
• GDPR (if EU data is processed): Testing involving systems that process EU personal data will comply with GDPR Article 32 security requirements and data minimization principles.

All discovered vulnerabilities will be handled according to responsible disclosure principles aligned with CERT/CC and ISO 29147:

• Immediate Notification: Critical vulnerabilities (CVSS 9.0+) will be reported to the Client immediately upon discovery, before the formal report is complete.
• Report Delivery: A complete written report including all findings, CVSS scores, proof-of-concept evidence, and remediation recommendations will be delivered within the agreed timeframe.
• No Public Disclosure: PM::OFFSEC will not publicly disclose any vulnerability findings without explicit written consent from the Client. In cases involving third-party vendor vulnerabilities (e.g., CVEs), coordinated disclosure will be discussed with the Client first.
• Re-Testing: A complimentary verification re-test of remediated critical and high severity findings is included within 60 days of report delivery.
• Zero-Day Policy: If a previously unknown vulnerability (zero-day) is discovered in a third-party product, PM::OFFSEC will coordinate with the Client on responsible disclosure to the vendor following NIST and CISA guidelines.

Both parties acknowledge the inherent risks associated with security testing and agree to the following liability terms:

• Good Faith Testing: PM::OFFSEC will perform all testing in good faith with professional care. Testing activities will be designed to minimize disruption to production systems.
• Service Disruption: The Client acknowledges that penetration testing may cause unintended service disruptions. PM::OFFSEC liability for unintended disruptions is limited to the total engagement fee paid.
• Data Loss: PM::OFFSEC is not liable for data loss or corruption resulting from authorized testing activities, provided testing was conducted within the agreed scope and methodology.
• Client Indemnification: The Client agrees to indemnify and hold harmless PM::OFFSEC against third-party claims arising from testing activities conducted within the authorized scope.
• Force Majeure: Neither party is liable for delays or failures caused by circumstances beyond their reasonable control.
• Maximum Liability Cap: PM::OFFSEC's total liability under this agreement shall not exceed 2x the total fees paid for the engagement.

• Payment Schedule: 50% deposit required before engagement begins. Remaining 50% due upon delivery of the final report. Invoices are payable within 15 days.
• Deliverables: Executive summary report, technical findings report (CVSS-scored), remediation roadmap, and re-test report (for resolved critical/high findings).
• Timeline: Agreed engagement start and end dates will be confirmed in writing. Scope changes may affect timeline and require a signed change order.
• Cancellation: Cancellation within 48 hours of engagement start forfeits the 50% deposit. Cancellation before 48 hours results in a full refund.
• Taxes: Client is responsible for any applicable taxes on services rendered. PM::OFFSEC will provide a W-9 upon request for US-based clients.

• Governing Law: This agreement is governed by the laws of the United States and the state in which PM::OFFSEC is registered. Any conflict of laws provisions shall not apply.
• Dispute Resolution: Any disputes arising from this agreement shall first be subject to good-faith negotiation. If unresolved within 30 days, disputes will be submitted to binding arbitration under the American Arbitration Association (AAA) Commercial Arbitration Rules.
• Jurisdiction: For matters not subject to arbitration, the parties consent to exclusive jurisdiction in federal and state courts in the applicable US jurisdiction.
• Attorney Fees: In any legal proceeding, the prevailing party shall be entitled to recover reasonable attorney fees and costs.
• Severability: If any provision of this agreement is found unenforceable, the remaining provisions remain in full effect.
• Entire Agreement: This document, together with any signed Statement of Work (SOW), constitutes the entire agreement between the parties and supersedes all prior discussions.

• Emergency Stop: The Client may request immediate cessation of all testing activities at any time by contacting PM::OFFSEC via the designated emergency contact method. Testing will stop within 15 minutes of notification.
• Testing Windows: Unless otherwise agreed, active exploitation testing will occur during business hours (9 AM – 6 PM Client's local time) on weekdays only. Reconnaissance may occur outside these hours.
• Communication: Daily check-ins will be scheduled during active testing phases. All communication will use encrypted channels (Signal or PGP-encrypted email).
• Incident Response: If testing inadvertently causes a security incident, PM::OFFSEC will immediately notify the Client and assist with incident response at no additional charge.
• Third-Party Notification: If in-scope testing requires interaction with third-party services (cloud providers, CDNs), PM::OFFSEC will notify the Client before proceeding, who bears responsibility for obtaining separate authorization.