This repository contains resources that can be used when planning and ordering a penetration test as client. It is tailored for the manufacturers of products that either are software-only or a product containing software. The penetration test can be executed either prior to a release or on a regular basis while the product is in the field.
For situations where the penetration test client is the operator of infrastructure of third-party software (e.g., an e-mail server), this documentation can be used as inspiration but may need to be adapted for this purpose. This is not my field of expertise.
Use the statement-of-work template to discuss activities with a penetration testing provider. Copy & paste the page's content into an empty document and follow the instructions. You may use the statement of work also to request a quote from penetration testing providers. Before exchanging confidential information, make sure that a non-disclosure agreement (NDA) has been signed.
A second document, not yet existing, could be the standardized offer form to be used by all participants of a request for proposal (RfP). The idea is to get quotes in a structured format that allows the comparison of different offers. Mismatches in suggested efforts or prices may indicate a misunderstanding in the requested services.
If this repository has been helpful to you, consider leaving a "star" on Github. In case of errors, please create an issue or even a pull request in Github.
All work in this repository is licensed under the MIT License