The BSidesLV Proving Grounds slide deck accompanying my talk for independent security consultants on how to protect themselves from lawsuits (and get paid!)
BSidesLV 2019 - Cover Your A**: How to Protect Yourself as an Independent Security Consultant
1. Cover Your A**: How to Protect Yourself
as an Independent Security Consultant
2. About Me
My name is Suchi Pahi
I’m a Data Privacy &
Cybersecurity Attorney
You can find me on Twitter!
@SuchiPahi
3. I am not your
lawyer,
This is not
legal advice.
4. What’s on Tap?
What is included in the contract?
How do I get these documents?
Okay, but which pieces do I really care about?
What do I need to know about the Statement of Work/
Scope of Services?
Where are the sticking points in the contract?
Odd and ends
Recap
Resources
6. Your standard set of
documents for an assignment
should include:
Non-disclosure Agreement* - Mutual agreement to
protect your information and client’s information
Master Services Agreement – The high-level
umbrella document that has who, what, where,
when, how & why
Scope of Services / Statement of Work – The
detailed document that goes into each assignment
for client
Authorizations* - Get Out of Jail Free Card!
10. Master Services Agreement
The Basics
• Parties
• Purpose
• Definitions
During Agmt.
• Rights &
Responsibiliti
es
• Assignment
• Reps &
Warranties
• Payment
End of Agmt.
• Limitation of
Liability
• Indemnificati
on
• Severability
• Governing
Law
• Waiver
• IP
11. The SOW – Protecting Yourself
PURPOSE PROJECT
SCHEDULE
TARGETS METHODS CONTROLS
DELIVERABLES TOTAL
COST
PROVISION THAT THE SOW IS
SUBJECT TO THE MSA
12. Authorizations
Phys Sec – Keep a Get Out of Jail
Free Card! (Document that says
your auth’d to do what you’re
doing)
It should be signed by the
folks who have hired you as
consultant.
Otherwise, keep the emergency
contact # and name of a person
who can keep you out of trouble.
13. What’s on Tap?
What is included in the contract?
How do I get these documents?
Okay, but which provisions do I really care about?
What do I need to know about the Statement of
Work/ Scope of Services?
Where are the sticking points in the contract?
Odd and ends
Recap
Resources
14. How Do I Get These Documents?
• They send an NDA
• Initial meeting with client
• You prepare a scope of services and
proposal
• You also provide your version of an MSA
Client reaches
out or You reach
out to Client
• Definitions
• Payment
• Indemnification & Liability
• Termination
Then we start
MSA Negotiations
• Targets
• Both Party’s Responsibilities
• Delays
• Deliverables
Next, SOW
Negotiations
15. What’s on Tap?
What is included in the contract?
How do I get these documents?
Okay, but which provisions do I really care about?
What do I need to know about the Statement of
Work/ Scope of Services?
Where are the sticking points in the contract?
Odd and ends
Recap
Resources
16. The Big 5 – These, Done Right
Protect You From Trouble
#1: The Document
Statement of Work/
Scope of Services
#2 - #5: Provisions of
Interest
Limitation of Liability
Confidentiality
Requirements
Indemnification
Contract Termination
17. What’s on Tap?
What is included in the contract?
How do I get these documents?
Okay, but which provisions do I really care about?
What do I need to know about the Statement of
Work/ Scope of Services?
Where are the sticking points in the contract?
Odd and ends
Recap
Resources
18. What do I need to know about the
Statement of Work (AKA Setting
Expectations!)
Purpose
Process
Scope
Deliverables
19. What’s on Tap?
What is included in the contract?
How do I get these documents?
Okay, but which provisions do I really care about?
What do I need to know about the Statement of
Work/ Scope of Services?
Where are the sticking points in the contract?
Odd and ends
Recap
Resources
20. Odds & Ends
How do you
get paid?
IP
Track Changes
Will you get sued?
Third parties
Your Client,
Your Contract
The
CFAAAAAAAAAA
(CFAA)
21. What’s on Tap?
What is included in the contract?
How do I get these documents?
Okay, but which provisions do I really care about?
What do I need to know about the Statement of
Work/ Scope of Services?
Where are the sticking points in the contract?
Odd and ends
Recap
Resources
27. Ask your peers for their
suggestions and
resources. Share the
knowledge.
28. Thanks, Y’all!
Many thanks to the community, especially BSides Proving Grounds
organizers and mentors (props to Clint Gibler for being an
awesome mentor) and additional help/ not to be forgotten:
Jeff Man
Lisa Angelo
Jon Nichols
Falcon Darkstar
Wendy Knox Everette
and others! This list gets long quickly.
29. Additional Resources
Sample Documents and Provisions
A short template for general contracting
Sample Provisions for your documents (see Slides XX – XX)
How to Draft a Contract
Contracting for Non-Lawyers
This has some good details
UpCounsel’s Explanation of SOWs
How to read a Contract
Effectively Negotiating
Negotiating the MSA (Nixon Peabody)
Top 5 for Negotiating
Legal to Lay People Terms (see Slides 30 -31)
Examples of Provisions (Slides 32-42)
Who do I hire? (What Lawyer Does What?)
30. Legal Term What it Means
Indemnification Client makes you whole/ protects
you from harm
Governing Law/ Choice of Law The state law that administers
the entire Agreement
Assignment Someone stands in your (or
client’s) shoes to fulfill the
Agreement
Limitation of Liability A list of things that you or both
parties can’t be sued for and if
you can be sued, the maximum
amt. you can be sued for.
Breach Violation
31. Legal Term What it Means
Force majeure Unforeseeable circumstances
that will stop you from fulfilling
the contract (e.g. war,
hurricanes, death)
Injunction Court order to “stop doing the
thing you’re doing” or be fined/
imprisoned.
Damages $$$ to make someone whole
after they’ve been injured (e.g.
economic loss).
Copyright IP right applies to tangible works
of authorship, incl. software.
32. Ex. A - What
Should Your
Proposal Have?
A Table of
Contents!
NAME OF AGREEMENT
1. Executive Summary
2. Scope of Services
3. Project Schedule
4. Fees and Expenses
5. Master Services Agreement
6. Signatures
33. Ex. B : The Executive Summary of a Proposal
and SOW after Initial Client Meeting
I. Executive Summary
YOUR COMPANY is pleased to present this proposal and Statement of Work
(“SoW”) to POTENTIAL CLIENT COMPANY. Based on the initial discussion on
DATE between YOUR COMPANY and POTENTIAL CLIENT COMPANY, a
requirement exists to DO A THING (vulnerability assessment? Audit? Pen test?)
During DO A THING, YOUR COMPANY will perform USE THESE METHODS
(GENERAL) AND TARGET THESE THINGS (e.g., iOS). YOUR COMPANY will
provide THIS DELIVERABLE.
PRICING TERMS.
YOUR COMPANY will provide a final product of FINAL DELIVERABLE (REPORT,
RECOMMENDATIONS, ETC). YOUR COMPANY looks forward to working with
POTENTIAL CLIENT COMPANY
34. Ex. C: Make the SOW subject to the MSA
All YOUR COMPANY work is subject to the terms and conditions in the fully executed
Master Services Agreement between YOUR COMPANY and CLIENT COMPANY dated
DATE. This Statement of Work and, unless specifically stated otherwise, all Statements
of Work between YOUR COMPANY and CLIENT COMPANY, and all work and services
performed by YOUR COMPANY for CLIENT COMPANY, are subject to the terms and
conditions of the Master Services Agreement.
This Statement of Work (“SOW”) is made pursuant and subject to the Master Services
Agreement(the “Agreement”) by and between YOUR COMPANY, and CLIENT COMPANY
and shall be dated DATE. This SOW describes Services to be performed and provided
by YOUR COMPANY pursuant to the Agreement. Capitalized terms used but not defined
in this SOW shall have the meaning ascribed to them in the Agreement. If any item in
this SOW is inconsistent with the Agreement, the terms of the Agreement will control,
unless otherwise specified in writing
35. Ex. D: Assignment, Waiver, Severability, and
Choice of Law provisions (Found in MSA)
Waiver
No provisions of this Agreement or any breach thereof shall be deemed waived unless such waiver
is in writing and signed by the Party claimed to have waived such provision or breach. No waiver of
a breach shall constitute a waiver for excuse of any different or subsequent breach.
Assignment
Neither party may assign (whether by operation or law or otherwise) any of its rights or delegate or
subcontract any of its obligations under this Agreement without the prior written consent of the
other Party. Notwithstanding the foregoing, CLIENT COMPANY shall have the right to assign its
rights and obligations hereunder to any entity that is an affiliate or successor of CLIENT COMPANY,
whether by merger, acquisition, change in control, or other transaction involving the sale of all or
substantially all of CLIENT COMPANY assets, without the prior approval of YOUR COMPANY.
Severability
Any provision of this Agreement that is determined to be invalid or unenforceable will be
ineffective to the extent of such determination without invalidating the remaining provisions of
this Agreement or affecting the validity or enforceability of such remaining provisions.
Governing Law*
This Agreement shall be governed and interpreted in accordance with the laws of the state of
WHICH STATE, excluding its conflicts of laws provisions. Jurisdiction and Venue for any dispute
relating to this Agreement shall exclusively rest with the state and federal courts in THE SAME
STATE
36. Example E: Setting forth compensation
in your MSA
Fees. Company will pay Contractor the fee specified in each SOW as
Contractor’s sole compensation for the Services, provided such Services meet
the term of the SOW and this Agreement and are of a quality consistent with
industry standards. Contractor shall be responsible for all expenses incurred in
performing Services under this Agreement, except as set forth in the SOW. Upon
termination of this Agreement for any reason prior to completion of a SOW,
Company will pay Contractor fees and expenses on basis stated in the SOW for
work which is then in progress, within 14 days after the later of (a) Contractor’s
invoice, and (b) the effective date of such termination.
Invoicing. Unless otherwise provided in an applicable SOW, (a) payment to
Contractor of undisputed fees will be due 14 days following Company’s receipt
of an invoice which contains accurate records that document work performed
for the invoiced fees; and (b) Contractor will submit invoices to Company on a
monthly basis.
37. Example F: Mutual Indemnification
Indemnification by YOUR COMPANY. YOUR COMPANY shall defend CLIENT COMPANY against
any claim, demand, suit, or proceeding (”Claim”) made or brought against CLIENT
COMPANY by a third party arising from (a) YOUR COMPANY’s breach of its confidentiality
obligation under this Agreement, (b) YOUR COPANY’s gross negligence or willful
misconduct, and (c) YOUR COMPANY’s breach of its [ANY SECURITY EXHIBITS/ DATA PRIVACY
AGREEMENTS?] set forth as Exhibit [x] to this Agreement, and shall, in each case, indemnify
CLIENT COMPANY for any damages against, or agreed to by YOUR COMPANY in settlement
of, any such claims.
CLIENT COMPANY shall defend YOUR COMPANY against any Claim made or brought against
YOUR COMPANY by a third party arising from CLIENT COMPANY’s provision of [WHAT DOES
THE COMPANY GIVE YOU SO YOU CAN DO YOUR JOB?] or CLIENT COMPANY’s use of Services
in violation of this Agreement, and shall indemnify YOUR COMPANY for any damages finally
awarded against, or agreed to by CLIENT COMPANY in settlement of any such claim.
38. Exhibit G: Limitation of Liability
In no event shall either party’s liability arising out of or related to this
agreement, whether in contract, tort, or under any other theory of liability,
exceed the amount paid or payable to YOUR COMPANY under this agreement
in the prior six month period. The limitations on liability set forth in this
section or otherwise set forth in this agreement shall not apply to liabilities
arising from (a) either party’s indemnification obligations under this
Agreement, (b) either party’s breach of its confidentiality obligations under
this Agreement, (c) either party’s gross negligence or willful misconduct.
39. Exhibit H: Termination
Termination without Cause. Either party may terminate this Agreement or any
SOW without cause at its convenience upon thirty (30) days’ prior written notice
to the other party. Each party will pay only those fees and expenses related to
services actually performed up to and during such notice period as specified in the
SOW.
Termination with Cause. Either party may terminate this Agreement immediately
in the event that the other party has materially breached the Agreement and fails
to cure within five (5) day of receipt of written notice by the non-breaching party,
setting forth in reasonable detail the nature of the breach. Only those fees and
expenses related to services actually performed during such notice period, as
specified in the SOW, will be paid.
SOW Termination. The termination of an SOW pursuant to the SOW’s terms shall
not invalidate or terminate this Agreement.
40. Exhibit I: Project Phases in Statement of
Work tied to Compensation
Milestone Fee (USD)
Compensation will be payable in accordance with the table immediately above.
In the event that the Agreement or this SOW is terminated prior to completion
of the services set forth in the SOW, YOUR COMPANY will issue a final invoice for
all Milestones accepted by CLIENT COMPANY prior to the effective date of the
termination.
41. Exhibit J: What rights do you and the client
have if they don’t like your product? This is
an approval of deliverables clause.
If CLIENT COMPANY determines that the Services for which YOUR COMPANY is
responsible under this SOW are not satisfactory as a consequence of any YOUR
COMPANY act or omission, CLIENT COMPANY may give YOUR COMPANY notice of
the deficiency. YOUR COMPANY shall have a reasonable opportunity to
investigate the reported deficiency, and the Parties shall use reasonable, good
faith efforts to agree on the cause of the deficiency.
42. Exhibit K: IP Rights
Reservation of Rights. Subject to the limited rights expressly granted
hereunder, YOUR COMPANY reserves all rights, titles, and interest in and to
the Services, including all related intellectual property rights. No rights,
express or implied, are granted to CLIENT COMPANY other than as expressly
set forth herein.
43. Who Do I Hire? Types of Lawyers
Type of Concern Type of Lawyer
Can I patent this? Where is my
copyright? How does software IP and
licensing work?
Intellectual Property Attorney
My client won’t pay me! General Civil Litigator
There is an incident involving data! Cybersecurity Lawyer (but read the
description on their bio page, they
could be *compliance, or *cyber-crime,
or *incident response only
My client is suing me for CFAA things This is *still* a Civil Litigator
The Feds are after me! Criminal Defense Attorney (probably
pro bono)
44. Questions?
Key Takeaways:
Don’t leave terms
(especially the four
provisions –
indemnification, liability,
confidentiality, and
termination) ambiguous
Carefully define the SOW
Draft your own NDA and
MSA (if possible)
Ask your peers for
resources/ knowledge
sharing
Suchi Pahi
Data Privacy &
Cybersecurity Attorney
@SuchiPahi
Editor's Notes
This was originally – Cover Your A**, how to protect yourself when you’re red teaming. But, turns out, the principles are a little broader – so it’s Cover Your A** - How to Protect Yourself as An Independent Security Consultant!
Why am I here: I found myself helping friends who are working in the hacker space when it came to protecting themselves and their work when contracting with clients. I’ve been a cybersecurity/data privacy lawyer for ~ 5 years, mostly working on the big corporate side with the Fortune 100 companies. But I grew up with tech nerds and engineers in my family, which means I know more than a few folks who are independent consultants and need help sometimes on figuring out whether they are going to get sued, and if they do, what they can do to protect themselves.
This is meant to be informative.
TL;DR - I drink, and I know things. And I’m here to share with you the tips and tricks that I’ve shared with my friends.
“Alright folks, here’s what’s on tap for this talk. We’re going to walk through various pieces of what you need as an independent consultant and spot the issues. We’re going to start at the beginning of the whole process – so if you’re pretty savvy on the contracting part of this, hang in there with me. By the end of this presentation you should have an idea of what you need to keep an eye out for when you’re working with your clients. I do briefly touch on the intellectual property part of this, e.g. licensing and copyright at the end. I’ve also included a few resources for you in the last slide. When you take a look at the resources and use this talk/ slides later (or your notes etc.) remember that you are operating in a very flexible situation with different client types and sizes. So you should tailor everything, and be diligent in reviewing your own documents.
TL;DR now and then we’ll go into these in detail later.
There are a few ways in which a contract or agreement might be set up between you and a client. The contract or agreement could be one document that includes an authorization, confidentiality provision, and scope of services/ statement of work. Or, it could be multiple documents that together act as a complete contractual agreement. Depending on your state, if you ever end up in court, you may have to argue what makes up your contract. Typically, courts will only really buy that your contract is contained within the four corners of a document / set of documents. That means your side conversations, or emails, or texts, won’t have bearing on the actual total Agreement that you have with your client.
So – your job as an independent security consultant, is to make sure that you include *all of the terms* that you could want in your actual agreement(s) itself.
Now – back to the documents themselves - in my experience, first, you most often see a non-disclosure agreement that is signed prior to the rest of the agreement, so that you and the client can have an honest discussion about what you have to offer as a red teamer to them, and then a second document that is a primary agreement that includes, in frequently fancy lawyer language:
What you’re going to do
The company’s direction/authorization that you do it
How long you’re authorized to do the thing
When and how you’re going to be paid
When and how either party can breach the contract
Who is on the hook for breaches and what the parties can sue for
This primary agreement is then supplemented by a third piece of paper (or multi-page document) that has the exact scope of services, also known as the scope of work. This answers questions such as - how many boxes, what kinds of boxes, IP address ranges, types of authorized attack vectors, etc. This second set can also cover intellectual property (or, the MSA will have the IP rights).
If you’re doing any type of physical security work, some folks make it a point to get an express written authorization that they carry on them in hard copy form so that if there is any trouble at the premises of the client, you can show that. Or have a cell #// name, etc.
Let’s look at a quick example of each- just so you know/ can be familiar with the face of the document.
Thinking about these in a visual manner can be helpful – here, if you have an MSA in place where you’ve negotiated all of the important terms of the contract, including how you get paid, then you’ll have the specific statement of work or scope of services documents follow from the MSA. They’ll incorporate the MSA by reference (e.g. ”Nothing in this Statement of Work/ Scope of Services is intended to replace or otherwise change the terms of the MSA, signed on [DATE]. Any conflicting terms or definitions will be resolved in favor of those used in the MSA”)
Note, the NDA is not after the MSA and does not fall from the MSA. The NDA also is not necessarily before the MSA, although considering you’re in security consulting, there is probably an NDA.
If you have a Get Out of Jail Free Card – it is going to tag in with your SOWs (Statements of Work or Scope of Services documents).
Okay let’s start with the first document (most likely first) - the Non-Disclosure Agreement.
What other sections do you see in an NDA?
Definitions – including the definition of confidential information or proprietary information
You can typically request that the Client clarify what information is Confidential by marking it as such. However, in many cases if you have a mid-size to large client, they’ll tell you all of it is Confidential Information/ and includes things like business knowledge, business relationships, types of technology, financial information, trade secrets, etc.
Equally important in this definition is to make note of what is *excluded* from Confidential Information. These tend to be what we call boilerplate – information that is public knowledge, information that you, the red teamer, have developed or are bringing to the Agreement, anything disclosed pursuant to certain legal requirements, e.g. a Court Order or Subpoena, or anything disclosed with written authorization from the Owner.
Requirements of You – the NDA will require you to protect any confidential information and you’ll have an obligation not to re-disclose that information
If you use any subcontractors or vendors, you’ll want to consider whether/ how you’ll include them as parties to the NDA and other parts of the Agreement.
No copying/no modifying
No unauthorized use
Remedies if you violate the NDA – for example, an injunction (which means “stop doing what you’re doing”), a requirement that you return, a right to terminate contracts, potentially a right to sue based on any damage to the business caused by disclosures, indemnification (we’ll discuss how that works later), and attorney fees.
The term/ time limit for the NDA
Sometimes a direct reference to Whistleblower protections.
*The next document you’re going to see if likely called the “Master Services Agreement.” The point of this document is to set forth the purpose of the relationship between you and the client, define terms, and then cover things like “how you get paid” (Compensation) and “what you produce” (Deliverables). Your actual project or project(s) will be included in the scope of services, and the MSA is going to be the overarching document for these various smaller agreements that are time or box-limited.
This actually does a great thing for you - If the client likes you, and you’ve negotiated a master services agreement – then the client just has to negotiate the details in the scope of services or scope of work. So you don’t go back to the drawing board every time.
This is where you really get into the nitty gritty of your project. Which, we’ll get into later. But for now, a Scope of Services or Statement of Work is a more closed in/ limited document. The point of this is to tell the client –
What you’re going to do
A timeframe or schedule of when you’re going to do things
What the targets are/ is
How you’re going to do this generally (e.g. Reverse Engineering, Forensic Analysis)
What you’re testing for (what are those dreaded compliance checkboxes the client wants and what does your work do to check the boxes)
What you’re going to provide to the client – including format, time for delivery, and any review.* You can also let them know whether you validate remediation. Deliverables can be reports, scripts, and more.
You can sometimes also include within these Statement of Work or Scope of Services things like:
Assumptions you’re making – e.g. that you’ll be operating during business hours and business hours are X to X times
Responsibilities for each party – e.g. that the Client will provide access to the targets or will provide items you need for the targets
Any pre-engagement lists – things that need to be done before you actually start your side of the project + any penalties if you get delays from the client side (and what you’re offering if you delay from your side).
I don’t have much to tell you here – you guys have industry standards for how to operate when it comes to physical security assignments, but in the event that you aren’t sure, ask one of your friends, and if you can’t get the information that way – I have seen people either keep hard copies of express authorizations to engage in phys. sec work or I’ve seen folks keep copies of emergency numbers and names.
E.g. medium size to smaller size company coming from the top, if super-large company not so senior, might be head of engineering or something. For red teams – for which you’re doing physical stuff or stealthy things, so you’ll need a super senior person.
Alright! That was a lot! So what is the process by which you actually get these documents?
I’ve mentioned earlier in this presentation that there is a lot of flexibility with the “how to” of actually contracting. While this process starts with a Client reaching out to you or you reaching out to a client – they may sign your NDA if you provide them with one, or they may have you sign their NDA. Then, at the initial meeting with the client, you’re doing some discovery about how they operate, what their pain points are, and what they really need. Subsequently, you’re going to prepare a proposal of the services you’re going to provide (the scope of services) as well as a master services agreement.
What I’ve pulled out for the negotiation parts of each is the important areas. What you won’t see in the MSA or Scope of Service/ Statement of Work negotiations here is the fact that *if you find things while you’re doing this work that you think the client should know about but they haven’t engaged you to provide, I highly recommend you discuss with the person who has engaged you in person and let them know that they exist but that you won’t include them in writing unless the Client wants you to”
This may suck. But – they are the client, and you’ve done your due diligence by at least bringing it to their attention orally.
Your MSA should make sure to include the fact that you are *only* on the hook for *exactly* what is described in the scope of services and not liable for any other vulnerabilities or flaws that are otherwise included in the Client’s ecosystem.
Negotiations may take a week or two minimum. It can take up to a month depending on the client – so when you’re going in, you have to have an idea of what provisions you’re flexible on and what provisions you have absolutely zero flexibility on. Which brings us to – how to approach the important provisions.
Talk about why a 3rd party might sue (two examples). <downstream examples>
So what should you care about when you’re contracting? These five things – because if you don’t get these right, they’ll get you in the most trouble. The first of these is a document, and the other four are provisions.
Statement of Work- Where you lay out, in detail, exactly what you’re going to do, when, and your basic assumptions so that your Client is aware of the things you are doing on behalf of the client and such that you can’t be nudged into doing anything that isn’t within that scope at risk to your own business/ money/ personal anything.
Limitation of Liability - Where establish the things that your client can not sue / hold you liable for (limiting their ability to put you on the hook for things that you should not be on the hook for based on industry practices/standards, and your scope of service/work). This is typically within the MSA. This is also where you cap liability (how much can you get sued for).
Confidentiality Requirements – Where you establish the items that you’re supposed to keep confidential, and the things that they’re supposed to keep confidential, as well as the time limits for these confidentiality provisions (OR – more specifically, the time limits on an NDA).
Indemnification – Where the client agrees to indemnify you (meaning, on your behalf take the arrow, if particular things happen. E.g. if a downstream vendor is affected by the work you do for client, they’ll “indemnify you” so that you don’t have to hire attorneys to handle the claim).
Contract Termination – in short, you need to know how to finish the contract in the event that 1) they aren’t paying you on time; 2) you can’t do what they want you to do; or 3) the relationship has soured.
This is where you tell the client:
What you’re going to do (Purpose)
Generally how you’re going to do it (Process/Methodology)
Scope (Target etc.)
Deliverables (How you’re going to provide feedback).
What am I talking about when I say Purpose? Why has the client engaged you? If the client has engaged you for a network security assessment, then your purpose should include that you’re going to be reviewing the network infrastructure, performing a pen test of the same, and that this will allow you to identify weaknesses and/or vulns. Are you also going to provide remediation/ mitigation? Or some form of risk rating? Then include that as part of your purpose. This should be a clear and straightforward 3-5 sentences maximum.
What about Process. Methodology?
Let’s start with Methodology here - It is difficult to predict ahead of time what you may run into and what tools you may end up using. That’s a fair problem to have. But you should have a general idea of the world of tools and methods you may use. So if you’re doing a code review, e.g. a source code analysis, you can let the client know that you’re going to do a static analysis with generally, “static analysis tools.” You don’t have to list every tool that you use or think you may use.
The Process is level-setting with your client. What can your client expect while you’re completing this project for them. Are there multiple phases in your work? What are those phases? When are those phases? This is the project management side of the contracting. Are you going to do a Phase 1 assessment? What does that include? Some of the best contracts I’ve seen (or Statements of Work) will clearly list out that they’re going to have an initial call and that initial call will help do things like define IP ranges, produce a timeline, determine what resources need to be interviewed. And then there will be a second call or in person meeting that is just info gathering via tools so on, and so forth.
Scope?
This is where you really need to focus. This scope section should *at least* cover what you’re going to be working with. For example, if you’re doing a network security assessment, you should, within your scope, list all of the domains that you’re going to be testing. What is off limits? What is not off limits?
If you don’t scope clearly - your client may ask you to do things that are 1) Not what you expected 2) open you up to lawsuits from other entities (not including the client) and 3) Result in more work than the fees your charging are worth.
*Protip re: pay – do this in parts, partly after, partly before, not at the end.
IP rights – the things I bring are mine, you don’t own them.
Don’t leave the history on your tracked changes on in Word if you’re sending over redlines on a contract to the other party.
CFAA (Computer Fraud and Abuse Act): If you have unauthorized access or exceed authorized access, both terms of art, you’re facing potential civil charges outside of the contract charges for accessing a computer without authorization.
These folks were really encouraging and also helped review this slide deck to make sure it is helpful to you! I recommend following them on Twitter and meeting them in person if you’re looking for people who are bright and know what they’re doing (and helpful). They’re likely better assets for you since you’re in the actual tech side of this space!
These are *super* basic definitions of what some of the terms in your contract mean.
These are *super* basic definitions of what some of the terms in your contract mean.
If you ARE proposing after a client meeting, and have an MSA or SOW, then you NEED to ensure your Proposal includes what you’d include in the SOW + a reference to the MSA (unless you’re also negotiating in MSA, in which case, refer to an MSA but also attach a template of the same or SOLICIT THEIRS)
So this would be if you’ve already reached out and have an MSA in place. You can tailor this to instead offer a proposal, MSA, and SOW. If you’re thinking in terms of stages of acquiring documents for your client relationship, then this is stage 1 of the process – they’ve reached out or you’re reaching out and providing to them information following an NDA.
Any Bold and CAPS need to be replaced.
You can choose either of the two types of verbiage above to make your Statement of Work subject to the negotiated Master Services Agreement.
Most folks use Governing Law to be the State that your Company is registered and incorporated in. Many large businesses/ clients you’ll see will look for a Delaware Choice of Law Provision.
Notice how Party is randomly capitalized? It’s because you can define a term and then indicate that it is a defined term in your contract. So if I have an agreement, and I’m starting with this is the MSA (“Agreement”) between Company A (“nickname”) and Company B (“nickname”), collectively “Parties” and individually “Party.” Anything can be a defined term in an Agreement. This example is of in-line term definitions. The other part of your contract that will include definitions is your MSA Definitions section. Then, when you use those terms during the rest of your Agreement, you always capitalize them so that people know you’re talking about defined terms. This is there you define terms like:
Vulnerability
Equipment
Network
Downtime
Server
ANY OTHER TERMS OF ART (TERMS THAT NEED TO BE SPECIFIC OR ARE SPECIFIC IN YOUR INDUSTRY)
Your Compensation section in the MSA can include general information about how you’ll handle receiving fees, invoicing, and collection – as well as timing of payments and how/when you submit invoices. Remember, your SOW/SOS is where you really want to detail phased payments for particular pieces of your project for the client.
You may limit liability to be even more specific:
For example “with respect to any indemnification obligation of YOUR COMPANY, the aggregate liability of each Party hereunder, for any and all causes of action and/or claims, liabilities (including reasonable attorneys’ fees), expenses, damages, costs, or losses arising out of or relating to this Agreement, whether based in contract, warranty, negligence or otherwise, will in no event exceed the aggregate amount equal to twelve (12) times the aggregate amount invoiced by YOUR COMPANY for Services rendered (excluding surcharges, taxes, and/or fees) during the calendar month prior to the calendar month in which the event giving rise to liability occurred.
You can also just set a cap. That you’re only liable for 300K, or 1M.
You’ll want to have Termination without cause (option to exit the Agreement for no reason) and Termination with cause (option to leave when someone messes up).
In the SOW - you can also set forth Expenses reimbursement (in addition to milestones and compensation details). For example:
Expenses. CLIENT COMPANY will reimburse YOUR COMPANY for those reasonable expenses incurred in carrying out the scope of Services, provided that any such expenses are pre-approved in writing by CLIENT COMPANY and are supported by invoices and receipts.
After this provision – you can set forth various options. For example, if your company or your company’s equipment caused the problem, then you could give the Client Company the right to ask you to correct/ replace/re-perform the Services; withhold money owed under the SOW until the issue has been corrected; terminate the SOW and/or Agreement (If you allow this particular part, you should insist that Your Company is entitled to payment for Services to the date of the notice of termination).
This is a super short non-specific reservation of rights. IP sections can get very lengthy.
Please start your questions with “Who, What, Why, Where, When, or How” and end them in a “?”