The “pentest waivers” that are sometimes seen in practice are often mainly designed to keep the pentester out of trouble. In that case, the emphasis is on obtaining explicit permission from the client to carry out a pentest and to waive any claims for damages and other rights. This is to prevent the pentester from being prosecuted for breaking into someone else’s system.
This is all fine, but be sure to add these 7 main agreements to the contract before you do business with the pentester.
Record in writing, the target
Record in writing the agreements between the operator of the pentest, the client and – if this is another party – the party whose system is the purpose of the pentest (for example, if the customer requests a pentest on the system of his supplier).
Demand that the performance of the pentest be (fully) documented with a reporting obligation.
Record that the execution will take place in a professional, careful and professional manner in accordance with applicable standards (think: OWASP, ISSAF etc.).
Demand that the pentest can be discontinued upon first request (such as when continuity is or is likely to be compromised).
Only work with pentesters who hold a certificate for ethical hackers. The OSCP certificate is a good example of this.
Absolute confidentiality / confidentiality of information. Both with regard to information that the pentester would have access to, but also with regard to the implementation and results of the pentester.
Preferably increase the confidentiality / secrecy with a penalty clause (in addition to the possibility of punishing wrong behavior, this undoubtedly also has a preventive effect to promote the right behavior).
Ensure that an exemption or exclusion of the pentester’s liability is not broader than required / desired: the pentester must be and remain responsible and liable for the proper performance of the pentest in accordance with the agreements made in respect thereof.