This policy establishes binding rules for all penetration testing engagements and Bug Bounty Program (BBP) maintenance conducted by Ezekiel//sec. It applies to internal employees, subcontractors, and external security researchers. Adherence guarantees client safety and legal compliance.
Testing prioritizes safety; no fuzzing on production auth modules without explicit authorization.
Exfiltration prohibited; proof via metadata only.
Findings treated as client IP. Strict Clean Desk policy enforced.
Binding Safe Harbor Letter provided to all researchers upon engagement initiation.
Signed authorization required before any engagement begins. Scope Boundary Table defines in-scope assets with precision. Third-party authorization remains the client's responsibility.
Testing halts immediately upon discovery of critical/zero-day vulnerabilities. Client notified within 1 hour. Coordinated Vulnerability Disclosure (CVD) 90-day timeline enforced before any public release.
- Social Engineering: Restricted — requires explicit written sign-off.
- Physical Intrusion: Restricted — legal waiver required.
- DoS / Fuzzing: Prohibited unless destructive testing waiver is signed.
- Privilege Escalation: Allowed for PoC only — no persistent backdoors.
- Data Exfiltration: Strictly prohibited — directory listing/metadata only.
Report submission via encrypted channel → triage within 24h → client notification. Researcher embargo enforced until patch is ready and deployed.
No legal action against researchers who stop at data exposure, avoid service interruption, and respect embargo timelines.
First report timestamp determines bounty eligibility. Re-test conducted only after patch deployment is confirmed.
No trolling or harassment of client staff. If illegal content is encountered, all testing stops immediately — report to CISO within the hour.
PGP encryption mandatory for all reports. Clean Desk: client data wiped after engagement per DoD 5220.22-M standard.
Critical infrastructure findings reported as per regulatory mandate. No EU/CA user data processed without a valid DPA in place.
If Ezekiel//sec violates RoE, client may terminate engagement immediately with full refund.
Minor violation: warning issued and/or report rejection. Severe violation (unauthorized data access): permanent ban, forfeited bounties, and law enforcement notification.
Immediate termination and full legal liability without exception.
By initiating a penetration test or joining the Ezekiel//sec Bug Bounty Program, the undersigned acknowledges and accepts full agreement to these Rules of Engagement, including all clauses regarding safe harbor, responsible disclosure, and operational conduct.