Mantente al día en ciberseguridad. ¡Suscríbete a Hacknews!
Contáctanos

AGREEMENT FOR THE PROVISION OF DIGITAL SECURITY SERVICES

Agreement for the Provision of Digital Security Services

This Agreement for the Provision of Digital Security Services (the “Agreement”) is made between Hackmetrix, LLC, a limited liability company incorporated under the laws of the State of Delaware, United States of America (the “Provider”) and the Client (hereinafter referred to as the “Client”, and, together with the Provider, hereinafter referred to as the “Parties”, and each of them individually referred to as a “Party”).

Unless expressly defined in this Agreement, any capitalized words used herein shall have the meaning given to them in the Commercial Proposal (as defined below).

BACKGROUND

  • WHEREAS, the Provider provides consulting services in computer security and software development;
  • WHEREAS, the Client wishes to independently contract the services called “Ethical Hacking” in addition to the deliverables (jointly referred to as the “Services”) described in the commercial proposal (the “Commercial Proposal”) attached hereto as Annex 1, which is an integral part of this Agreement.

IN LIGHT OF THE FOREGOING, in exchange for certain consideration set forth in this Agreement, the value and sufficiency of which is hereby acknowledged, the Parties agree to be bound in accordance with the following terms and conditions:

AGREEMENT

1. Services of the Provider.

(a) Subject to the terms and conditions of this Agreement and the Commercial Proposal, from the Effective Date and until the expiration or termination of the Agreement under Clause 11, the Provider undertakes to provide the Services described in the Commercial Proposal, which involve: (i) Performing security penetration tests (the “Tests”), provided that they include any action, by the Provider, in the digital and cybersecurity field, carried out to test the Client’s computer or cybersecurity systems. (ii) Diagnosing the actual and current state of the Client’s cybersecurity systems, reporting and analyzing the results, indicating the Client’s vulnerabilities, degree of risk and impacts. (iii) Providing advice and proposing alternatives to solve, remediate or mitigate the risks found. (iv) Delivering and making a final presentation of the results and reports of the activities carried out by the Provider. (v) Supplying additional information and clarifying a reasonable amount of doubts, if any, that the Client may have regarding the Services and results of the Tests, upon prior written request of the Client, which shall be answered by the Provider within fifteen (15) calendar days from receipt thereof. (b) The Provider agrees to perform the Services in a diligent and timely manner, and to perform them exclusively in accordance with this Agreement and the Commercial Proposal. (c) The Parties agree that the Services will be provided remotely and in phases in accordance with the Commercial Proposal.

2. Methodology and Nature of the Services.

(a) The Client fully acknowledges the nature of the Tests and the Services, and hereby grants the Provider access to its data and authorizes the Provider to perform the Services. The Client waives any action that it may be entitled to bring against the Provider due to the loss of, or delay or errors in, the data or Platform of the Client, arising from the Tests and the Services of the Provider. Likewise, considering the purposes of the Tests, the Client acknowledges and agrees that the Tests may be performed by the Provider at any time without prior notice. (b) In order to ensure the proper provision of the Services, the Client shall give access to and furnish the Provider with the appropriate and necessary infrastructure, as well as any information and data that the Provider may reasonably require in connection with the Client and/or the Platform or with this Agreement. To this end, the Client shall ensure that its personnel are reasonably available to receive, address and provide effective responses and solutions to the Provider’s inquiries in connection with the Services. If requested by the Provider, the Client shall designate a representative to handle and respond to requests for information from the Provider in connection with the Services. (c) Except with the prior authorization of the Client, the Provider shall refrain from delegating or subcontracting the provision of the Services for the Client. (d) The Client has and shall retain exclusive control over the Platform and shall remain solely liable to its clients and/or users with access to it. The Client shall keep the Provider informed of any third party property and data contained on the Platform and/or in the computer or cybersecurity systems of the Client. In performance of the Services by the Provider, the Provider shall not be liable to third parties whose information is on the Platform, and it shall have no control over, nor management or direction of, the Platform.

3. Consideration.

(a) The service is fully covered at no cost due to its acquisition through AWS. (b) The Client shall not be responsible for any taxes, duties, fees or other charges levied by or on behalf of any tax authority related to this Agreement or the Services. (c) In any case, the Client acknowledges and agrees that the failure to pay any of the installments of the Consideration in (a) above within ten (10) calendar days after they are due shall imply a material breach of this Agreement. Notwithstanding the Provider’s right to terminate this Agreement for such material breach, the Provider shall also be entitled to suspend the Services, without being liable to the Client.

4. Expenses.

If the Client requires the provision of Services on a face-to-face basis, any and all expenses, fees, per diem and costs arising from the Services and the implementation of the terms of this Agreement shall be borne solely by the Client. Any individual expense of the Provider related to this Agreement shall be evaluated and reasonably approved in advance by the Client. The Client shall reimburse such expenses to the Provider together with the payment of the relevant installment of the Consideration.

5. Compliance and Indemnity.

(a) The Client shall be solely responsible for ensuring that its Platform and business complies with all applicable federal, state and local laws, rules, statutes, enactments, orders and regulations, including those of any governmental agency, as well as any third party privacy or personal data processing obligations. The Services of the Provider and the indication of vulnerability or vulnerabilities in the computer or cybersecurity systems of the Client does not imply that the Provider has any duty or liability regarding the Platform or business of the Client, nor does it bind the Provider to inform any third party about the existence of vulnerabilities and/or potential incidents in the computer or cybersecurity systems of the Client and/or the Platform. (b) The Client acknowledges and accepts that the Provider has no relationship with the clients or users of the Client and is not aware of the specific terms and conditions governing the Client’s relationship with them, and/or aware of any third party information or infrastructure existing in the Client’s information or on its Platform. In this regard, the Client shall indemnify, defend, and hold the Provider, its affiliates and each of their relevant directors, employees, partners, shareholders and representatives, and each of their successors and assignees (each of them referred to as an “Indemnified Party” and jointly referred to as the “Indemnified Parties”), from and against any and all claims, losses, damages, expenses, obligations or other liabilities of any kind (including, without limitation, attorneys’ fees, court costs and other legal expenses), incurred by any of the Indemnified Parties arising or resulting from any breach by the Client of any of the terms and conditions of this Agreement or any other agreement or relationship with clients or users of the Client or any third party, arising from the Platform or the conduct of the Client’s business. (c) In the event of any claim pursuant to which an Indemnified Party is or may be entitled to be indemnified by the Client under this Agreement, the Indemnified Party shall notify the Client of such claim, and the Indemnified Parties shall be entitled to require their counsel to take over the defense of or settle the claim at hand, in which case the Client shall cooperate in any action in connection with such defense or settlement of such claim. If any Indemnified Party chooses to demand that the Client take over the defense of or settle any claim, the Client shall cooperate in any such action in connection with such defense or settlement of such claim. If the Indemnified Parties choose to demand that the Client take over the defense of or settle a claim, the Client shall defend such Indemnified Parties with respect to such claim with the support of legal counsel, at its own expense, subject to the prior written approval of the Indemnified Party, provided that the Indemnified Parties shall remain entitled to use their own Counsel at the expense of the Client. The Client acknowledges that none of the Indemnified Parties shall be bound to indemnify, defend or hold the Client harmless from any claim, loss, expense, damage, obligation or liability of any kind related to this Agreement.

6. Confidentiality.

The Parties expressly undertake to keep confidential all information exchanged within the scope of this Agreement (the “Confidential Information”), and not to disclose or reveal such information to any third party, person and/or entity, except to those employees or consultants of each Party who need to know such Confidential Information to implement the provisions of this Agreement, provided that employees and/or consultants with access to the Confidential Information shall be bound by confidentiality obligations with at least the same degree of restriction as set forth in this Agreement.

All information provided, delivered or disclosed for the purposes described in this Agreement, in any format, shall be treated as Confidential Information, the title and ownership of which shall remain exclusively with the Party providing such information.

Confidential Information includes, without limitation, information provided, delivered or disclosed by the Parties in any format, including, but not limited to, any information and data relating to know-how, methodologies, trade secrets, as well as any technical or similar data representing a competitive advantage of any Party, as well as any information, materials, designs or ideas shared between the Parties by any means or in any format.

The expression Confidential Information excludes any information that: (a) was in the public domain at the time it was disclosed or is in the public domain without negligence or breach by the Party that received the information; (b) was known without restrictions by the Party that received the information, at the time of disclosure, as evidenced by records existing at the time of disclosure; (c) was independently developed by the Party receiving the information without any reference to or use of Confidential Information, as evidenced by records existing at the time of the preparation of the information at hand; (d) is obtained from a source external to the Parties, without involving a breach of this Agreement or other confidentiality restrictions; (e) is disclosed with the prior written approval of the Party owning the Confidential Information; (f) is disclosed pursuant to a non-appealable injunction or request of a court, administrative agency or other governmental agency;

In light of this, the Parties agree to:
(a) Refrain from disclosing, delivering or revealing any or all of the Confidential Information to any third party, or to use the Confidential Information for any personal interest or purpose or that of any third parties, except within the scope described in this Agreement.
(b) Protect all Confidential Information diligently, as if it were their own confidential information.
(c) Limit access to Confidential Information exclusively to persons who need to know the information to carry out the purpose of this Agreement.
(d) Take any and all actions required to prevent disclosure of Confidential Information.
(e) Promptly and diligently inform the other Party in the event that disclosure of Confidential Information is required by applicable law or ordered by a competent administrative agency, judicial authority or governmental agency. In this case, the Party required to disclose such information shall provide reasonable assistance to the Party owning the Confidential Information in order to protect, challenge, prevent or limit the disclosure.

Unless otherwise expressly authorized by the Party owning the Confidential Information, the Party receiving Confidential Information shall refrain from making copies or duplicates of the Confidential Information. Any materials or documents that have been provided shall be promptly returned or destroyed (at the choice of the Party owning the Confidential Information), within ten (10) calendar days from: (a) the termination of this Agreement, for any reason; or (b) the written request of the Party owning the Confidential Information.

The confidentiality obligations and restrictions shall survive and remain in force indefinitely, regardless of the expiration or termination of this Agreement.

7. Solicitation.

Each Party agrees that certain restrictions on its activities are necessary to protect the Confidential Information and other legitimate commercial interests of each Party. Considering this situation, during the term of this Agreement and for two (2) years after the termination thereof, for any reason whatsoever, each Party shall refrain from, without the written consent of the other Party, directly or indirectly hiring or making any employment offer to any current employee of the other Party, and from promoting the hiring of such employee by any third party, or encouraging such employee to terminate his or her employment or service relationship with the other Party.

8. Independent Parties.

This Agreement and the transactions included herein do not create any partnership, association, joint endeavor, joint venture, employment or subordinate relationship between the Parties, nor does it bind the Parties to enter into any such relationship or enter into any additional transactions. This Agreement is non-exclusive and accordingly, either Party may freely contract with other persons and entities. The Provider is an independent contractor and shall remain free from any subordination, obligation, joint and several liability to the Client with respect to its contractors, users and clients.

9. Intellectual Property and Use of Image.

(a) All rights related to the Services, the Confidential Information of the Provider, trademarks, logos, know-how, methodology, software, technological tools, reports, analyses, results, trade names, trade secrets, patents and other intellectual property rights, including all modifications and derivative works thereof (the “Intellectual Property of the Provider”) shall remain the exclusive property of the Provider (or its affiliates, if any). Except for and exclusively limited to the rights related to the content of the Vulnerability Report, Certification Report and Final Status Report delivered by the Provider to the Client during the performance of the Services, the Client does not have, nor does it acquire under this Agreement, any right or interest in or to the Intellectual Property of the Provider, whether express, implied, or otherwise. (b) The Client shall refrain from:
(i) copying, modifying or creating derivative works or enhancing the Intellectual Property of the Provider;
(ii) renting, leasing, lending, selling, licensing, assigning, distributing, publishing, transferring or disposing of the Intellectual Property of the Provider;
(iii) performing reverse engineering, disassembling, decompiling, decoding, adapting or attempting to derive or gain access to the source code of the Intellectual Property of the Provider;
(iv) circumventing or violating any security or protection device used by the Intellectual Property of the Provider;
(v) damaging, destroying, interrupting, disabling, impairing, interfering with, impeding or otherwise damaging the Intellectual Property of the Provider;
(vi) removing, deleting, altering or hiding any trademark, warranty or disclaimer, or any copyright, trademark, patent or other intellectual property rights or proprietary rights of any part of the Intellectual Property of the Provider;
(vii) accessing or using the Intellectual Property of the Provider for purposes of competitive analysis, or other purpose that is detrimental to the Provider or entails a commercial disadvantage to it; (c) The Provider acknowledges that the Client (and its affiliates, if any) is the sole owner of the Platform and its business and the intellectual property therein, including, but not limited to, its programming, editing, compilation, designs, logos, text and/or graphics, website. The Provider’s access to the Client’s Platform does not grant the Provider any ownership rights in the Platform. (d) Subject to the confidentiality restrictions contained in this Agreement, the Client authorizes the Provider to make reasonable use of the Provider’s image in connection with the engagement of the Services of the Provider for advertising purposes only, in any media that the Provider deems appropriate for the dissemination and promotion of the Provider. Said authorization shall remain in force indefinitely, until the Client notifies the Provider in writing of its revocation.

10. Representations and Warranties.

Each Party represents and warrants as follows: (a) Each Party has the capacity and power to enter into and be bound under this Agreement, and to perform its obligations hereunder. (b) Its representatives under this Agreement have full authority to bind their principal on the terms hereunder. (c) To have all necessary or appropriate corporate approvals under law or their corporate governance in order to enter into and perform their obligations under this Agreement. (d) The Parties do not require authorization or approval of any governmental authority for the purpose of entering into this Agreement and being bound by the terms hereof. (e) Each Party shall perform any and all of its obligations under this Agreement in accordance at all times with all federal, state and local laws, rules, statutes, enactments, orders and regulations of the United States of America, including those of any governmental agency, and all provisions repealing or abrogating the foregoing. (f) Each Party has all licenses, permits, approvals and authorizations required to operate its business, all of which are in full force and effect, and there are no material violations with respect thereto. (g) This Agreement constitutes a legal, valid and binding obligation of each of the Parties, enforceable in accordance with its terms, except in cases of bankruptcy, insolvency, corporate bankruptcy proceedings or other laws of general application relating thereto or with respect to the compliance with the creditors’ rights in general and the general principles of equity. (h) Each Party (together with its affiliates, if any) is the sole owner of the information and infrastructure to which the other Party may have access under this Agreement. (i) Each Party acknowledges that the other Party relies on the accuracy and truthfulness of the representations made throughout this Agreement, and each Party acknowledges such reliance.

11. Term.

This Agreement shall be effective as of the Effective Date and for one (1) year from the date agreed by the Parties for the commencement of the Services (the “Term”), provided that the Parties may establish phases or milestones in accordance with the Commercial Proposal. Likewise, the Term may be extended by mutual written agreement between the Parties.

12. Termination and Survival.

(a) This Agreement shall be terminated in any of the following cases, whichever occurs first: (i) The expiration of the Term, or any extension thereof, pursuant to Clause 11. (ii) By written notice of a Party, pursuant to a material breach of the other Party’s obligations under the Agreement and in the event that such breach is not remedied within ten (10) calendar days from the notice by the affected Party. (iii) Upon thirty (30) calendar days’ prior written notice by either Party to the other, for any reason whatsoever. (b) Notwithstanding the termination of this Agreement for any other reason, the Parties acknowledge and agree that, in addition to all other rights and obligations contained in this document which, due to their nature, shall survive the termination of this Agreement, the following rights and obligations of the Parties shall survive the termination of this Agreement: (i) The indemnity obligations of the Client under Clause 5. (ii) The confidentiality obligations and restrictions of the Parties under Clause 6. (iii) The Parties’ solicitation and independence restrictions under Clause 7 and Clause 8, respectively. (iv) The right to use the image of the Client for advertising purposes by the Provider under Clause 9(d).

13. Disclaimer of Warranties.

The Client acknowledges and agrees that the Services of the Provider, the results, recommendations and observations arising therefrom and any other deliverables under the Commercial Proposal are provided on an “as is” basis, with any defects or errors, if any, therein. The Provider makes no representations or warranties, whether express or implied, regarding its Services, the results, recommendations and observations arising therefrom and any other deliverables under the Commercial Proposal, and/or the computer or cybersecurity systems of the Client upon completion of the Services. THE CLIENT HEREBY DISCLAIMS ANY AND ALL IMPLIED, STATUTORY WARRANTIES WITH RESPECT TO THE SERVICES AND/OR DELIVERABLES UNDER THE AGREEMENT AND COMMERCIAL PROPOSAL, AS WELL AS THEIR QUALITY, CONDITION, PRICE OR COMPLETENESS, RESULTS, ABSENCE OF NEGLIGENCE, AND/OR DEFECT, AND ANY IMPLIED WARRANTY OF MARKETABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

14. Limitation of Liability.

UNDER THE SERVICES AND THE PERFORMANCE OF THEIR OBLIGATIONS UNDER THIS AGREEMENT, NEITHER THE PROVIDER NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY COMPENSATORY, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES IN CONNECTION WITH ANY LOSS, WHETHER FORESEEABLE OR UNFORESEEABLE (INCLUDING, WITHOUT LIMITATION, LOSS OF ASSETS, DATA, INTANGIBLES, PERSONAL INJURIES, PROPERTY DAMAGE), OR LIABILITY REGARDING THIRD PARTY INTELLECTUAL PROPERTY. THE PROVIDER’S LIABILITY UNDER THIS AGREEMENT IS LIMITED TO, AND UNDER NO CIRCUMSTANCES SHALL EXCEED, THE AMOUNT OF THE CONSIDERATION REFERRED TO IN CLAUSE 3. THE CLIENT ACKNOWLEDGES AND AGREES THAT THE LIMITATIONS ABOVE ARE ESSENTIAL TO THE PROVIDER, WITHOUT WHICH THE PROVIDER WOULD NEITHER ENTER INTO NOR BE BOUND BY THIS AGREEMENT.

15. Miscellaneous.

(a) Assignment. Except as otherwise provided in this Agreement, the terms and conditions of this Agreement shall inure to the benefit of and be binding upon the relevant successors and assignees of the Parties; provided that any assignment of the rights or obligations of a Party under this Agreement in favor of a third party shall require the prior written consent of the other Party. Any assignment without the prior consent of the other Party shall be null and void and shall be rendered invalid. (b) Entire Agreement. This Agreement, together with the Commercial Proposal, constitutes the entire agreement between the Parties with respect to its subject matter, and supersedes any prior agreement or understanding, whether oral or written, between the Parties with respect to such subject matter. In the event of any inconsistency between the provisions of this Agreement and the contents of the Commercial Proposal, the provisions of the Commercial Proposal shall prevail. (c) Dispute Resolution. In the event of a dispute between the Parties, the Parties shall first attempt to settle such dispute informally by means of good faith negotiations. If the Parties are unable to settle the dispute within fourteen (14) calendar days from such negotiations, the Parties agree that, to the extent permitted by law, any dispute or claim that one Party may have against the other, including those arising from or relating to the interpretation, application or enforceability of this Agreement, shall be referred to non-binding mediation, conducted by a mediator mutually agreed upon by the Parties. The Parties shall also pay in the same proportion the mediator’s fees. The Parties agree to pay their own attorneys’ fees and costs prior to and at the mediation. If the mediation does not settle the dispute, the Parties shall submit to arbitration proceedings pursuant to Clause 15(d). (d) Applicable Law and Arbitration. The interpretation, execution and/or performance of this Agreement and its annexes shall be subject to the laws of the State of Delaware, United States of America. If the Parties fail to settle the dispute by mutual agreement upon completion of the dispute resolution procedure set forth in Clause 15(c), any dispute arising from or relating to this Agreement shall be finally settled in accordance with the Commercial Arbitration Rules (the “Rules”) of the American Arbitration Association, by one or more arbitrators appointed in accordance with such Rules. The arbitration shall be conducted in English and the place of arbitration shall be Miami, Florida. BEING FULLY AWARE OF ITS IMPLICATIONS, BOTH PARTIES VOLUNTARILY AND INTENTIONALLY WAIVE THEIR RIGHT TO A JURY TRIAL WITH RESPECT TO ANY LITIGATION ARISING FROM, UNDER OR IN CONNECTION WITH THIS AGREEMENT OR ANY DOCUMENT ATTACHED THERETO. THE PARTIES ACKNOWLEDGE THAT THIS WAIVER IS AN ESSENTIAL CONDITION TO ENTER INTO THIS AGREEMENT. (e) Injunctive Relief. The Parties agree and acknowledge that it will be impossible to measure in terms of money the damage arising from either Party’s breach of any of its obligations under this Agreement and that, in the event of a breach, an affected Party would suffer irreparable damage, with no legal remediation. Therefore, the Party affected by a breach (in addition to any other remedy to which it may be entitled at law or in equity) shall be entitled to injunctive relief, including specific performance, to enforce such obligations. If an action is brought in equity to demand performance of this Agreement, the Parties may not raise as a defense the existence of an adequate remedy at law. (f) Severability. If one or more of the provisions of this Agreement are held to be invalid, illegal or unenforceable, the remaining provisions of this Agreement shall remain in full force and effect and this Agreement shall be read as if the invalid, illegal or unenforceable provision had not been included. (g) Amendments. No variation, amendment, alteration, or addition to this Agreement and/or the Commercial Proposal shall be valid or binding unless expressed in writing and signed by both Parties. (h) Notices. Any notice or notification that a Party is required or wishes to give to the other Party under this Agreement must be made exclusively by email to the addresses specified in the Commercial Proposal. Such communication shall be deemed effective only if received on a business day and during business hours. (i) Headings. The headings in this Agreement are for convenience only and do not affect the interpretation of this Agreement. (j) Counterparts. This Agreement may be signed in one or more counterparts, each of which shall be deemed to be an original, and all of which shall constitute a single agreement.

IN LIGHT OF THE FOREGOING, the Provider and the Client enter into this Agreement through their duly appointed representatives, and have read and fully understand the content of this Agreement that will enter into force as of the Effective Date.

1. Objectives and Reach

This proposal is designed so that Hackmetrix LLC (hereinafter “our team”, “we”, “us” or “Hackmetrix”) can assist and advise the Customer (hereinafter “the Customer”, “your” or “The customer”) on the cybersecurity status of their systems under scope.

The main objective will be to find vulnerabilities that could be exploited by attackers and later cause reputational damage or incur an economic loss in the medium term. These cybersecurity improvements are to be implemented in The customer systems to prevent a user with bad intentions from:

  • Accessing sensitive company information
  • Carrying out an information wipe
  • Carrying out an information breach
  • Making changes to databases
  • Shutting down the application for an extended period of time

The services and the work methodologies carried out, comply with all the standards and recommendations issued by current national and international Public and Private Bodies of competence in the field of information security, such as PCI DSS, HIPAA, ISC2, ISECOM, EC / COUNCIL, OWASP, ISO 27001 Annex A ISO 27002, thus allowing us to meet customer requirements in certification matters.

Global Objectives

  • Determine the level of impact of vulnerabilities to assess the current risk.
  • Know the level of exposure to certain threats.
  • Advise on the most appropriate current technologies in terms of security.
  • Deliver reports with solutions and mitigation options for the risks found.

Technical Objectives

  • Test different attack techniques to successfully penetrate the customer assets under analysis.
  • Exploit the most significant vulnerabilities detected.

Detailed Reach

Internal Phishing Test
Scope Tentative Date
200 Employees Month / 2025

2. About Us

With our expertise and skills in Ethical Hacking, we want cybersecurity to be a growth tool for startups.

In Hackmetrix we help our clients meet their objectives and grow their businesses, either by participating in their certification process for regulatory compliance or by advising them in risk management. To achieve this, we simulate tailored attacks on each application’s use cases, these range from mainframe-enabled systems to traditional client-server applications. Our versatile approach fuels a risk-focused threat model for a greater understanding of what is at stake.

Our Team

Imagen en Public

Our Clients

B2B SaaS

Imagen en Public

Fintech | Crypto | Insurtech

Imagen en Public

Healthtech | Logistech | Otros

Imagen en Public

Testimonials

“We trust Hackmetrix as an important ally to our overall secure development methodology. Their work has allowed us to provide feedback and improve internal processes that led to safer software delivery from the early stages. They have a versatile knowledge of new and old technologies. They also have a highly customer-focused team, which allows us to move away from static work protocols and to coordinate dynamic work roadmaps that adapt to how we work at Mercado Libre. ”

—Alejandro Iacobelli - Application Security Manager (ISC)² CSSLP, Mercado Libre.

“Before hiring we looked at different providers. We chose Hackmetrix because their knowledge and expertise in computer security was superior compared to others. Their counseling was successful, clear and orderly planned. They successfully identified real security problems and provided clear indications to correct them.”

—Francisco Echeverría S. - CTO, Autofact.

“A fantastic experience. With a team of first-rate professionals, with cutting-edge security knowledge. At all times we felt strongly supported and confident that the service provided was just what we needed and more.”

—Livio Carrasco - CTO, Tutenlabs.

“For a long time we looked for a partner that could support us in the mission of finding and correcting potential security breaches. At Hackmetrix we found an agile team that allowed us to move forward and provide our clients with the certainty that our concern for technological security is well supported by a first-rate team. Thanks to Hackmetrix we have managed to ensure the operation of large corporations not only in Chile, but throughout Latin America. ”

— Felipe Alvarado. - CTO, Rankmi

3. Service Details

Kick Off Date

Once the contract is signed, we will hold a meeting to define deadlines, objectives, expectations and needs. After the meeting, we will email you a minute so you can approve the plan going forward. When we receive confirmation, we will start with providing the service.

Test Start Date

We will define this date together with the customer, at least 10 business days prior to the start of the project (Kick off). The tests will be given according to the methodology detailed later in section 4.

Vulnerability Report

This first report provides the necessary information to take mitigation measures, and is divided into two sections, one for the business area and the other for the technical area.

Executive Summary

  • Provides a summary of the information in a non-technical language to aid decision-making.
  • Describes the number of vulnerabilities found and the impact they have on the organization.

Technical Summary

  • Describes all vulnerabilities
  • Shows proof of concept, its exploitation and information on how to repair those vulnerabilities.
  • Allows your IT team to prioritize mitigation in the development cycle.

Vulnerability Retest

The customer will have the support team available up to 8 weeks after the final presentation of results to repair the vulnerabilities and request the retest on the same environment and initial conditions. In this way, they will be able to solve their doubts during the remediation of vulnerabilities.

This service includes a single retest that will be 100% rewarded, if requested, and executed within the stipulated period of 8 weeks. In the event that for any reason the retest had to be executed outside 8 weeks, we will present a financial proposal to extend the support date.

Certification Report

Finally, after retesting, the customer will obtain a Certification Report, an instrument for their clients stakeholders, and/or suppliers in which we certify that the vulnerabilities detected were repaired and that the corresponding protection measures have been taken.

Duration of Service

This service proposal is designed to span approximately 3 months, distributed as follows:

  • Phase 1: “Intrusion Analysis Execution”
    • This phase will be carried out after the kickoff meeting.
    • Duration: Up to 3 business days.
  • Phase 2: “Project Support”
    • This phase will begin once the vulnerability report has been delivered.
    • Duration: Up to 8 weeks.

Once confirmed, we will agree with The customer on the work plan and the definitive dates for the start of each phase. You will receive weekly updates to inform you of the current status and a final presentation of results. Each of these reports will be delivered through an encrypted channel with an expiration period. It will be the customer responsibility to access and safeguard the delivered information.

4. Work Methodology

In the following graphic we describe the work methodology that we use in each Ethical Hacking project. It is divided into five stages:

Pre-commitmentData collectionChaining testsReportRetest
Project objectivesOSINT MethodologyVulnerability analysisSummaryRemediation
Expected resultsRecognitionExploitationFindings
ReachProfilingPost-exploitationProof of concept
CoordinationProject supportAttacks made
Kick off

4.1 Social Engineering Test

The weakest link in the security chain is the human. Social engineering is the art of manipulating people to provide confidential information. The types of information or access sought may vary, but the personnel working in the organization will always be the main target. We will try to deceive them to access their computers and install malicious software that will give us control over their computers and visibility over the customer internal network.

Data Collection - Stage 1

We will identify high-level executives working at the customer who could, through deception, provide us with access to the internal network or critical business information. For this, we will use public sources such as social networks: LinkedIn, Facebook, Twitter, etc.

Additionally, the customer communications, image, hierarchical structure, and relationship with suppliers will be analyzed as a reference.

Data Collection - Stage 2

By cloning the customer images and communications and/or suppliers, we will develop:

  • Websites
  • Phishing email templates
  • Advertising documents

In addition, the possibility of generating fake domains similar to the customer will be evaluated. These will be used to send emails (phishing) based on a previously obtained internal personnel database from public sources and/or provided by the customer. Finally, we will develop malware that simulates malicious behavior, without actually damaging the machine and with controlled vectors. It’s a quick and safe way to discover if your company’s machines are vulnerable to real attacks.

Report - Etapa 3

We will prepare a report describing the vulnerabilities found along with evidence and their possible solutions. Our report highlights key information about each vulnerability discovered during the Social Engineering test. The “Details” subsection of each vulnerability will exhibit a validation (PoC) and, when applicable, an attempt to exploit the finding in a manner similar to what an attacker would do to further their attack objectives. If the attack is successful and if identifiable, the report will include information about the people affected by the phishing.

5. Payment Method

Sponsored by AWS, at no cost.

6. Budget

Professional fees have been estimated according to the time that members of our team are expected to dedicate to the execution and supervision of the project, considering the objectives of the review and the preliminary work plan:

QuantityQuantityPrice
Spear Phishing12.000 USD
BonificaciónTotal
TOTAL:$0

General Budget Observations

  • Prices are expressed in U.S. Dollars.
  • Services are confirmed by a Purchase Order or the equivalent.
  • The costs of the services do not include per diem, since the services can be executed remotely. Likewise, presentations can be made through high-performance video conferencing tools.

7. Communications and Reviews

Before starting the project, the customer team member is assigned as our main contact. This is the person with whom we will coordinate, request and consult all aspects of the tasks to be carried out. Those responsible designated by the customer must be considered as valid interlocutors in the technical aspects of this proposal, whose names and contact details are as follows:

Name
Position
E-mail address
Phone

Communications between the different parties will be made through emails, phone calls and meetings agreed in advance. The reports will be delivered via email.

Delays in the responses necessary to perform our tasks may produce automatic extensions in the delivery period equal to, or greater, depending on the task to be carried out, to the delay period.

Hackmetrix’s response time is determined between 4 and 24 hours for the start of case care.

8. Work Delivery Terms

The customer has the obligation to provide all the information for the project in an orderly and judicious manner. If the contents are in more than one language, the customer must present said contents in the chosen languages.

The customer has the responsibility to deliver all the information requested within a reasonable time, established by mutual agreement. In the event that customer does not comply with its delivery, the service will also continue to be provided with the material that is counted up to that moment and Hackmetrix will not be responsible for the lack of them and the results that they produce.

9. Guidance and Support

Hackmetrix has the responsibility to assist DEER with questions or queries when necessary. An example of this could be the arrival of a client’s request or the accompaniment to a meeting with a customer client to handle security objections.

This type of support does not incur any cost, however, if this results in a new service to be performed by Hackmetrix, a proposal for such service will be generated which will be analyzed by both companies.

10. Confidentiality

Hackmetrix and customer must keep confidential information to which they have access safe and secret; protecting it as if it were their own. Hackmetrix and customer may use said confidential information exclusively for the purpose indicated in the proposal.

“Confidential Information” shall be understood as any information provided or that is delivered on the occasion or occasion of the services provided, among other matters, to all data, knowledge, information, clientele, tax, accounting, financial or patrimonial information, contractual obligations and legal, knowledge or technical information, and any business plan or strategy, ideas and concepts of marketing strategy, prices, volume estimates and others that are not public knowledge, whether it is in writing or has been obtained orally or by any other way.

At the time that Hackmetrix or the customer is legally required by the competent authority and under any legal procedure, to reveal any confidential information, the communicator of said request or requirement must be immediately notified prior to the disclosure so that the latter can request appropriate protection measures so that the Confidential Information that is requested or required maintains that character and / or may waive its rights in accordance with the terms of this Agreement. It is understood that nothing stipulated in this clause shall be construed to oblige Hackmetrix and customer to act against the legal provisions in force in the United States of America.

11. Validation of Proposal

This offer is valid for a period of 30 consecutive days from its date of issue. After that date, a new proposal should be requested.

Once accepted, this proposal will be valid per se and will have all its effects, rights and obligations, and will not be subject to cancellation, reimbursement or any type of compensation.

¿Listo para comenzar?

Las empresas más innovadoras del mundo confían en Hackmetrix

Hackmetrix © 2024. Todos los derechos reservados

Este sitio web almacena cookies en su computadora. Estas cookies se utilizan para recopilar información sobre cómo interactúa con nuestro sitio web y nos permite recordarlo. Utilizamos esta información para mejorar y personalizar su experiencia de navegación y para el análisis y las métricas de nuestros visitantes tanto en este sitio web como en otros medios. Para obtener más información sobre las cookies que utilizamos, consulte nuestro Aviso de Privacidad

De acuerdo