Evaluating Rules of Engagement – How to Protect Yourself
It's important before beginning an engagement to closely read the rules of engagement (sometimes also called a code of conduct) to understand the bounds of what is accepted within the program.
The Rules of Engagement lay out:
- What techniques are allowed in the source of testing
- What sites/domains/apps are open to pentesting
- What parts (if any) of those apps are excluded from testing
- What vulnerabilities merit the highest payouts
- What vulnerabilities will not receive a payout at all
- What credentials/account you should use as a security researcher (for a social network or something with authentication-restricted pages, companies will often offer pentesters a path to creating an account they can use to test user-restricted functionality)
The RoE are extremely important not just because they affect your ability to win an award (you don't want to spend time chasing down a bug that doesn't merit a payout), but also because often the company offering the program uses fidelity to the RoE. It's essential to structure your entire pentesting engagement to make sure that it follows the guidelines and, at the end of your research, that you don't get served with a subpoena instead of a paycheck.
One of the most common items in any RoE is a restriction on how scanners are used. Though we'll go into greater detail in Chapter 5, SQL, Code Injection and Scanners, there are principles around using scanners that also apply to your pentest tooling in general.
These principles include the following:
- Be prepared to avoid using a tool by having an alternate workflow.
- Use filters (regex or otherwise), whitelists, and other techniques to tightly control where automation is applied.
- Always verify the results of automatic processes manually before submitting them in a report.
- Keep verbose logs with timestamps, context info, and so on. They'll make formatting your submission report easier.
- Rate-limit scanners or automated tools.
While they just seem like general tips, many of these techniques both help you color within the lines of your program's RoE, and – by documenting all the details in the process – give you the material to write a comprehensive submission report at the end of your engagement. Keeping good documentation, limiting the unbounded potential of recursive processes, and overseeing your automated processes are all good habits.