What Happens When Cybersecurity Work Has No Written Engagement Agreement

Cybersecurity consultants who discover critical vulnerabilities have legal and ethical obligations about how they report and disclose findings. Without a written agreement, the scope of work, liability, and responsible disclosure terms are dangerously unclear.

What's at Stake

Penetration testing without explicit written authorization from the system owner is illegal under the Computer Fraud and Abuse Act (CFAA), even with the client's verbal permission. Consultants can face federal criminal charges for testing systems outside the authorized scope.

What Happens If This Goes Wrong

A cybersecurity agreement that doesn't address what happens if the consultant discovers critical vulnerabilities creates conflicts: immediate disclosure vs. remediation window vs. competitive sensitivity.

Critical Deadlines

Execute before any scanning or testing begins. Rules of engagement including testing windows must be agreed before initiating any active testing. Penetration test reports should be delivered within 5–10 business days of test completion. Responsible disclosure windows typically run 30–90 days.

A cybersecurity consulting agreement governs penetration testing, security assessments, vulnerability research, incident response, and ongoing security advisory work. It must define the scope of authorized testing (to prevent criminal liability under the Computer Fraud and Abuse Act), handling of discovered vulnerabilities, and confidentiality of findings.

How This Document Protects You

Scope of authorized access, testing, and systems covered

Explicit authorization to access systems (CFAA protection)

Rules of engagement: testing windows, out-of-scope systems

Confidentiality of findings and responsible disclosure procedure

Deliverables: penetration test report, security assessment

Fees, invoicing schedule, and payment terms

Client obligations: cooperation, system access credentials

Limitation of liability and indemnification

CFAA Authorization

Written authorization protects consultants from criminal liability under federal computer fraud law

Scope Clarity

Defined scope prevents testing systems that could cause unintended outages or damage

Disclosure Protocol

Responsible disclosure terms protect both parties during vulnerability remediation window

Deliverable Standards

Report format and severity rating standards set in advance — clear expectations

State-Specific

Legally Structured

Updated 2026

Preview

Client Information

Client Information

Entity Type Individual Person Corporation Limited Liability Company (LLC) Partnership Sole Proprietorship Trust Non-Profit Organization Government Entity

Select the type of entity

Full Legal Name

As it should appear on the document

Doing Business As (DBA)

Optional trade name

State of Formation Select state... Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virginia Washington West Virginia Wisconsin Wyoming District of Columbia

Where the entity was formed

Authorized Representative

Person authorized to sign

Representative Title

Title or position

Address

Street Address

Full street address including suite or unit number.

City

City of client residence or business.

State Select... Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virginia Washington West Virginia Wisconsin Wyoming District of Columbia

State where this address is located.

ZIP Code

5-digit ZIP code.

Email Address

Used for correspondence and notices.

Phone Number

Best number for direct contact.

Cybersecurity Consultant Information

Consultant Information

Entity Type Individual Person Corporation Limited Liability Company (LLC) Partnership Sole Proprietorship Trust Non-Profit Organization Government Entity

Select the type of entity

Full Legal Name

As it should appear on the document

Doing Business As (DBA)

Optional trade name

State of Formation Select state... Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virginia Washington West Virginia Wisconsin Wyoming District of Columbia

Where the entity was formed

Authorized Representative

Person authorized to sign

Representative Title

Title or position

Address

Street Address

Full street address including suite or unit number.

City

City of consultant residence or business.

State Select... Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virginia Washington West Virginia Wisconsin Wyoming District of Columbia

State where this address is located.

ZIP Code

5-digit ZIP code.

Email Address

Used for correspondence and notices.

Phone Number

Best number for direct contact.

Engagement Terms

Type of Engagement * Select… Penetration Testing Vulnerability Assessment Security Audit / Compliance Review Incident Response Ongoing Security Advisory Red Team Exercise

Penetration testing requires explicit written authorization. Unauthorized access — even well-intentioned — may violate the CFAA.

Engagement Fee ($) *

The total or estimated fee for the engagement. For ongoing advisory services, specify the monthly retainer amount.

Systems / Assets in Scope *

Define scope precisely. Out-of-scope systems must also be listed. Testing systems not listed here may create legal liability for the consultant.

Systems / Assets Out of Scope

Explicitly listing out-of-scope systems protects the client from unintended disruption and the consultant from legal exposure.

Testing Start Date

The date active testing may begin. The client's IT and security teams should be notified in advance to avoid false incident responses.

Testing End Date

The date active testing must conclude. The consultant should deliver the final report within an agreed period after this date.

Data Retention After Engagement No client data retained after engagement Retained for 30 days post-engagement Retained for 90 days

Consultants who retain sensitive client data after an engagement create ongoing security risk. Define a clear data destruction requirement.

Review & Generate

Review your entries below before generating. Click Edit on any section to make changes.

Building your summary…

Document Preview

Refresh Preview Hide Preview

This is a preview of how your document will look. The final version will include complete legal language and state-specific provisions.

Cybersecurity Consulting Agreement — Preview

Generating preview…

Everything looks good? Click Generate Document below to create your professional document instantly.

Previous Next Step Generate Document

Enable autosave (your progress will be saved locally)

Clear saved data

How to Create Your Document

1. Define the specific systems and IP ranges in scope for testing
2. Include explicit written authorization for testing — CFAA requirement
3. Set testing windows and out-of-scope restrictions
4. Define responsible disclosure: how vulnerabilities will be reported and when
5. Specify deliverables: written report with severity ratings and remediation steps
6. Set fees and payment timeline
7. Both parties sign before any testing begins

Frequently Asked Questions

Common questions about Cybersecurity Consulting Agreement

Why does a penetration testing agreement need to specify authorized systems?

The Computer Fraud and Abuse Act (CFAA) makes it a federal crime to access computer systems without authorization. Even when a client hires you to test their systems, you need explicit written authorization documenting exactly which systems you are authorized to test. Without this written authorization, a consultant who accesses systems outside the expected scope — even accidentally — can face criminal prosecution. Written authorization is also protection if the client later disputes what testing was authorized.

What is responsible disclosure in cybersecurity?

Responsible disclosure (also called coordinated disclosure) is the practice of giving an organization private notice of a discovered vulnerability before it is publicly disclosed, allowing time for remediation. Standard practice: notify the affected party immediately upon discovery, give 30–90 days to remediate, then disclose publicly (possibly coordinating with CERT/CC). The consulting agreement should specify the disclosure timeline and what happens if the client fails to remediate within the window.

Who is liable if penetration testing causes an unintended outage?

The consulting agreement should address this: scope of testing, agreed testing windows, and indemnification for damages caused by out-of-scope or unauthorized testing. Consultants who follow the agreed scope and rules of engagement are typically protected; accidental damage within the authorized scope is usually addressed by indemnification provisions. The key protection is well-defined scope and explicit client authorization.

What should a penetration test report include?

A professional pentest report should include: executive summary (non-technical overview for management), methodology (what testing approaches were used), findings (each vulnerability with severity rating using CVSS), proof of concept (evidence the vulnerability is exploitable), risk rating and business impact, remediation recommendations with priority, and retesting expectations. Severity ratings: Critical (immediate action), High, Medium, Low, Informational.

Can a bug bounty program replace a penetration testing agreement?

Bug bounty programs (HackerOne, Bugcrowd) provide a framework for external researchers to report vulnerabilities with defined rewards and rules. They do not replace formal penetration testing agreements for comprehensive assessments. Bug bounties attract external researchers but typically have limited scope; penetration test agreements bring dedicated consultants who conduct systematic, in-depth testing. Many mature security programs use both.

Related Resources

Legal Guides

• tenant eviction notice requirements by state
• security deposit deadlines and limits
• lease termination rules by state

Related Documents

• modify an existing lease agreement
• property condition documentation
• browse all document templates

Related Documents

You may also need these related documents:

Software Development Agreement

Similar Software Development Agreement

Software Licensing Agreement

Similar Software Licensing Agreement

End User License Agreement (EULA)

Similar End User License Agreement (EULA)

Data Security Agreement

Similar Data Security Agreement

Not Legal Advice: This automated form assistance tool provides general information and document templates. It is not a substitute for legal advice from a qualified attorney. Laws vary by jurisdiction and change over time. Consult with a licensed attorney for advice specific to your situation.
Last updated: January 2026