Rules of Engagement
- No Denial of Service testing
- No Physical or Social Engineering
- No testing of Third-party Services
- No uploading of any vulnerability or client-related content to third-party utilities (e.g. Github, DropBox, YouTube)
- All attack payload data must use professional language
- If able to gain access to a system, accounts, users, or user data, stop at the point of recognition and report. Do not dive deeper to determine how much more is accessible.
- When documenting a vulnerability, if a vulnerability is public, please make sure it is discreet and doesn't identify the client.