DeforaNetworks/pentext
DeforaNetworks/pentext
3
0
Fork 0
Code Releases Activity

Snippet & document cleanup

Browse Source
This commit is contained in:
Marcus Bointon 2016-12-06 15:43:08 +01:00
parent 570dca4c28
commit 15a5ef9e50
27 changed files with 1222 additions and 991 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
xml/source/client_info.xml
View File

@ -1,25 +1,24 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- This file contains all known information for this client. All elements are MANDATORY. If any piece of information is not available, leave the element empty -->
<!-- Example <invoice_rep></invoice_rep> -->
<client xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="../dtd/offerte.xsd" id="client">
<full_name>Sitting Duck B.V.</full_name>
<!-- long client name, e.g. Sitting Duck B.V. -->
<short_name>Sitting Duck</short_name>
<!-- short client name, e.g. Sitting Duck; if no short name: same as long name -->
<legal_rep>I.M. Portant</legal_rep>
<!-- customer legal representative (to sign offer) -->
<waiver_rep>B.I.G. Wig</waiver_rep>
<!-- customer legal representative (to sign waiver; can be same person as legal_rep) -->
<poc1>Sir Knowsalot</poc1>
<!-- first point of contact for customer (during pentest); can be same person as above -->
<address>Reed Street 42</address>
<postal_code>0000</postal_code>
<city>Pond City</city>
<country>Amazonia</country>
<coc nationality="Dutch">9999999</coc>
<!-- chamber of commerce number; if no chamber of commerce number, please delete the whole element -->
<invoice_rep>D. Ollars</invoice_rep>
<invoice_mail>freemoney@sittingduck.com</invoice_mail>
<vat_no>0000000000B01</vat_no>
<!-- This file contains all known information for this client. All elements are MANDATORY. If any piece of information is not available, leave the element empty --><!-- Example <invoice_rep></invoice_rep> -->
<client xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="../dtd/offerte.xsd" id="client">
<full_name>Sitting Duck B.V.</full_name>
<!-- long client name, e.g. Sitting Duck B.V. -->
<short_name>Sitting Duck</short_name>
<!-- short client name, e.g. Sitting Duck; if no short name: same as long name -->
<legal_rep>I.M. Portant</legal_rep>
<!-- customer legal representative (to sign offer) -->
<waiver_rep>B.I.G. Wig</waiver_rep>
<!-- customer legal representative (to sign waiver; can be same person as legal_rep) -->
<poc1>Sir Knowsalot</poc1>
<!-- first point of contact for customer (during pentest); can be same person as above -->
<address>Reed Street 42</address>
<postal_code>0000</postal_code>
<city>Pond City</city>
<country>Amazonia</country>
<coc nationality="Dutch">9999999</coc>
<!-- chamber of commerce number; if no chamber of commerce number, please delete the whole element -->
<invoice_rep>D. Ollars</invoice_rep>
<invoice_mail>freemoney@sittingduck.com</invoice_mail>
<vat_no>0000000000B01</vat_no>
</client>

66
xml/source/contract_info.xml
View File

@ -1,32 +1,40 @@
<?xml version="1.0" encoding="UTF-8"?>
<contract_info xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" xsi:noNamespaceSchemaLocation="../dtd/contract_info.xsd" xml:lang="en">
<!-- WARNING:
Please note that the PenText creators make no claims regarding the validity of the contract generated by filling in the elements below and generating the pdf using the PenText system.
The contract snippets in this repo are provided as an example and should not be used for official contracts. It is the responsibility of the end user to edit the contract snippets and code so that the resulting contract is valid and watertight in the context of their own business operations and legal system. -->
<xi:include href="snippets/company_info.xml"/>
<scope>
<contract_type>fixed_term</contract_type><!-- single_engagement|fixed_term|non_zzp -->
<engagement_description>battling the pirates</engagement_description>
<secondpartyrole>Contractor</secondpartyrole><!-- what contractor will be referred to throughout the contract. Can be anything, but should probably be Consultant or Contracting Party. When in doubt, leave as is. -->
</scope>
<contractor sex="F"><!-- (M|F|O) (O for other) --> <!-- this info is used to select the correct pronoun, not for profiling :) -->
<name>Petra Pan</name>
<ctcompany>Lost Boys Inc.</ctcompany><!-- DELETE ctcompany element in case of freelancer without company -->
<address>Cloud 9</address>
<postal_code>1234 XX</postal_code>
<city>Treehouse City</city>
<country>Neverland</country>
<email>peter@pan.tech</email>
<hourly_fee denomination="eur">0</hourly_fee><!-- (eur|gbp|usd) -->
</contractor>
<work>
<activities><!-- add/delete activity elements as necessary -->
<activity>Taunting Captain Hook</activity>
<activity>Feeding crocodiles</activity>
<activity>Flying to and fro ('to' and 'fro' to be specified at takeoff)</activity>
</activities>
<start_date>2016-08-18</start_date>
<end_date>2016-09-15</end_date>
</work>
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xsi:noNamespaceSchemaLocation="../dtd/contract_info.xsd"
xml:lang="en">
<!-- WARNING:
Please note that the PenText creators make no claims regarding the validity of the contract generated by filling in the elements below and generating the pdf using the PenText system.
The contract snippets in this repo are provided as an example and should not be used for official contracts. It is the responsibility of the end user to edit the contract snippets and code so that the resulting contract is valid and watertight in the context of their own business operations and legal system. -->
<xi:include href="snippets/company_info.xml"/>
<scope>
<contract_type>fixed_term
</contract_type><!-- single_engagement|fixed_term|non_zzp -->
<engagement_description>battling the pirates</engagement_description>
<secondpartyrole>Contractor
</secondpartyrole><!-- what contractor will be referred to throughout the contract. Can be anything, but should probably be Consultant or Contracting Party. When in doubt, leave as is. -->
</scope>
<contractor sex="F"><!-- (M|F|O) (O for other) -->
<!-- this info is used to select the correct pronoun, not for profiling :) -->
<name>Petra Pan</name>
<ctcompany>Lost Boys Inc.
</ctcompany><!-- DELETE ctcompany element in case of freelancer without company -->
<address>Cloud 9</address>
<postal_code>1234 XX</postal_code>
<city>Treehouse City</city>
<country>Neverland</country>
<email>peter@pan.tech</email>
<hourly_fee denomination="eur">0</hourly_fee><!-- (eur|gbp|usd) -->
</contractor>
<work>
<activities><!-- add/delete activity elements as necessary -->
<activity>Taunting Captain Hook</activity>
<activity>Feeding crocodiles</activity>
<activity>Flying to and fro ('to' and 'fro' to be specified at takeoff)
</activity>
</activities>
<start_date>2016-08-18</start_date>
<end_date>2016-09-15</end_date>
</work>
</contract_info>

15
xml/source/futurework.xml
View File

@ -1,12 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="futurework" xml:base="futurework.xml" break="before" inexecsummary="no">
<title>Future Work</title>
<ul>
<li>
<b>Title</b><br/>
Description
</li>
</ul>
<ul>
<li>
<b>Title</b>
<br/>
Description
</li>
</ul>
</section>

113
xml/source/quickscope.xml
View File

@ -1,64 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<quickscope xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xml="http://www.w3.org/XML/1998/namespace"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="../dtd/quickscope.xsd">
<!-- COMPANY INFO -->
<xi:include href="client_info.xml"/>
xmlns:xml="http://www.w3.org/XML/1998/namespace"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="../dtd/quickscope.xsd">
<!-- COMPANY INFO -->
<xi:include href="client_info.xml"/>
<!-- SERVICE INFO -->
<meta>
<!-- Language the offer should be in (en|nl) -->
<offer_language>en</offer_language>
<!-- Offer type (pentest|basic-scan|load-test|code-audit|other) -->
<offer_type>pentest</offer_type>
<!-- Required service -->
<!-- Note: is only used when type is 'other', if offer_type is a specific type, service name will be taken from the localisation strings -->
<requested_service>penetration testing services</requested_service>
<!-- Which targets will need to be tested?
(one <target> element for each piece of software/service/server address/location...), delete/add as necessary -->
<targets>
<target></target>
<target></target>
</targets>
</meta>
<!-- Do we need permission from third parties? Insert as many <third_party> elements as needed under this comment -->
<!-- INSERT OPTIONAL THIRD PARTIES HERE -->
<!-- <third_party>
<full_name>XXX</full_name>
<short_name>XXX</short_name>
<waiver_rep>XXX</waiver_rep>
<address>XXX</address>
<city>XXX</city>
<country>XXX</country>
</third_party> -->
<!-- ___________________________________ -->
<pentest_info>
<!-- How long would you like the test to be? (in days) -->
<days>0</days>
<!-- How many mandays (if you don't know, try days * number of assigned pentesters) -->
<mandays>0</mandays>
<!-- Service execution (Use one of the following values: time-boxed, subscription) -->
<nature>time-boxed</nature>
<!-- Testing type (Use one of the following values: crystal-box, black-box, grey-box) -->
<type>crystal-box</type>
<!-- Test planning (when would you like the test to be executed -->
<!-- Ideally something specific like 'December 7th - December 12th, 2015', but another description 'Beginning of December' is fine as well -->
<!-- do not start with a capital letter -->
<planning>TBD</planning>
<!-- Pentest report delivery date (please allow at least 1 week between the end of the pentest and the report delivery date) -->
<delivery>TBD</delivery>
<!-- Do you need/want a code audit? (possible values: yes/no), only for pentest -->
<codeaudit perform="yes"/>
<!-- Is there an application that needs to be tested? Add an <application_name> element below. -->
<!-- INSERT OPTIONAL APPLICATION NAME HERE -->
<!-- SERVICE INFO -->
<meta>
<!-- Language the offer should be in (en|nl) -->
<offer_language>en</offer_language>
<!-- Offer type (pentest|basic-scan|load-test|code-audit|other) -->
<offer_type>pentest</offer_type>
<!-- Required service -->
<!-- Note: is only used when type is 'other', if offer_type is a specific type, service name will be taken from the localisation strings -->
<requested_service>penetration testing services</requested_service>
<!-- Which targets will need to be tested?
(one <target> element for each piece of software/service/server address/location...), delete/add as necessary -->
<targets>
<target></target>
<target></target>
</targets>
</meta>
<!-- Do we need permission from third parties? Insert as many <third_party> elements as needed under this comment -->
<!-- INSERT OPTIONAL THIRD PARTIES HERE -->
<!-- <third_party>
<full_name>XXX</full_name>
<short_name>XXX</short_name>
<waiver_rep>XXX</waiver_rep>
<address>XXX</address>
<city>XXX</city>
<country>XXX</country>
</third_party> -->
<!-- ___________________________________ -->
<pentest_info>
<!-- How long would you like the test to be? (in days) -->
<days>0</days>
<!-- How many mandays (if you don't know, try days * number of assigned pentesters) -->
<mandays>0</mandays>
<!-- Service execution (Use one of the following values: time-boxed, subscription) -->
<nature>time-boxed</nature>
<!-- Testing type (Use one of the following values: crystal-box, black-box, grey-box) -->
<type>crystal-box</type>
<!-- Test planning (when would you like the test to be executed -->
<!-- Ideally something specific like 'December 7th - December 12th, 2015', but another description 'Beginning of December' is fine as well -->
<!-- do not start with a capital letter -->
<planning>TBD</planning>
<!-- Pentest report delivery date (please allow at least 1 week between the end of the pentest and the report delivery date) -->
<delivery>TBD</delivery>
<!-- Do you need/want a code audit? (possible values: yes/no), only for pentest -->
<codeaudit perform="yes"/>
<!-- Is there an application that needs to be tested? Add an <application_name> element below. -->
<!-- INSERT OPTIONAL APPLICATION NAME HERE -->
<!-- ___________________________________ -->
<!-- rate (to be filled in by ROS ;) -->
<rate>0</rate>
</pentest_info>
<!-- rate (to be filled in by ROS ;) -->
<rate>0</rate>
</pentest_info>
</quickscope>

29
xml/source/snippets/company_info.xml
View File

@ -1,17 +1,18 @@
<?xml version="1.0" encoding="UTF-8"?>
<company>
<full_name>Radically Open Security B.V.</full_name>
<short_name>ROS</short_name>
<legal_rep>Melanie Rieback</legal_rep><!-- ROS legal representative (to sign offerte) -->
<poc1>Melanie Rieback</poc1><!-- first point of contact for ROS -->
<address>Overdiemerweg 28</address>
<postal_code>1111 PP</postal_code>
<city>Diemen</city>
<country>The Netherlands</country>
<phone>+31 6 10 21 32 40</phone>
<email>info@radicallyopensecurity.com</email>
<website>www.radicallyopensecurity.com</website>
<coc>60628081</coc>
<vat_no>853989655B01</vat_no>
<iban>NL06 RABO 0188 2813 12</iban>
<full_name>Radically Open Security B.V.</full_name>
<short_name>ROS</short_name>
<legal_rep>Melanie Rieback
</legal_rep><!-- ROS legal representative (to sign offerte) -->
<poc1>Melanie Rieback</poc1><!-- first point of contact for ROS -->
<address>Overdiemerweg 28</address>
<postal_code>1111 PP</postal_code>
<city>Diemen</city>
<country>The Netherlands</country>
<phone>+31 6 10 21 32 40</phone>
<email>info@radicallyopensecurity.com</email>
<website>www.radicallyopensecurity.com</website>
<coc>60628081</coc>
<vat_no>853989655B01</vat_no>
<iban>NL06 RABO 0188 2813 12</iban>
</company>

458
xml/source/snippets/localisationstrings.xml
View File

@ -1,223 +1,241 @@
<?xml version="1.0" encoding="UTF-8"?>
<localised_strings>
<date>
<!-- Note: NOT IMPLEMENTED YET - date localisation requires some Saxon HE hacking and it isn't pretty -->
<format xml:lang="nl">[D1] [MNn] [Y]</format>
<format xml:lang="en">[MNn] [D1], [Y]</format>
</date>
<!-- THIS you can change/expand! -->
<!-- COVERPAGE AND HEADERS/FOOTERS -->
<string id="coverpage_offer">
<translation xml:lang="nl">OFFERTE</translation>
<translation xml:lang="en">QUOTE</translation>
</string>
<string id="coverpage_service_pentest">
<translation xml:lang="nl">penetratietestdiensten</translation>
<translation xml:lang="en">penetration testing services</translation>
</string>
<string id="coverpage_service_pentest_short">
<translation xml:lang="nl">penetratietest</translation>
<translation xml:lang="en">penetration test</translation>
</string>
<string id="coverpage_service_retest">
<translation xml:lang="nl">penetratietestdiensten</translation>
<translation xml:lang="en">penetration retesting services</translation>
</string>
<string id="coverpage_service_retest_short">
<translation xml:lang="nl">hertest</translation>
<translation xml:lang="en">retest</translation>
</string>
<string id="coverpage_service_basic-scan">
<translation xml:lang="nl">basis-securityscandiensten</translation>
<translation xml:lang="en">basic security scan services</translation>
</string>
<string id="coverpage_service_basic-scan_short">
<translation xml:lang="nl">basis-securityscan</translation>
<translation xml:lang="en">basic scan</translation>
</string>
<string id="coverpage_service_code-audit">
<translation xml:lang="nl">code-auditing-diensten</translation>
<translation xml:lang="en">code auditing services</translation>
</string>
<string id="coverpage_service_code-audit_short">
<translation xml:lang="nl">code audit</translation>
<translation xml:lang="en">code audit</translation>
</string>
<string id="coverpage_service_load-test">
<translation xml:lang="nl">loadtest-diensten</translation>
<translation xml:lang="en">load testing services</translation>
</string>
<string id="coverpage_service_load-test_short">
<translation xml:lang="nl">load test</translation>
<translation xml:lang="en">load test</translation>
</string>
<string id="coverpage_for">
<translation xml:lang="nl">VOOR</translation>
<translation xml:lang="en">FOR</translation>
</string>
<string id="page_kvk">
<translation xml:lang="nl">Kamer van Koophandel</translation>
<translation xml:lang="en">Chamber of Commerce</translation>
</string>
<!-- INVOICES -->
<string id="invoice_no">
<translation xml:lang="nl">Factuur nr.</translation>
<translation xml:lang="en">Invoice no.</translation>
</string>
<string id="invoice_fao">
<translation xml:lang="nl">T.a.v.</translation>
<translation xml:lang="en">F.a.o.</translation>
</string>
<string id="invoice_svcdeliv">
<translation xml:lang="nl">Geleverde diensten</translation>
<translation xml:lang="en">Services delivered</translation>
</string>
<string id="invoice_days">
<translation xml:lang="nl">daagse</translation>
<translation xml:lang="en">day</translation>
</string>
<string id="invoice_vat">
<translation xml:lang="nl">BTW</translation>
<translation xml:lang="en">VAT</translation>
</string>
<string id="invoice_vatno">
<translation xml:lang="nl">BTW-nummer</translation>
<translation xml:lang="en">VAT number</translation>
</string>
<string id="invoice_additional">
<translation xml:lang="nl">Extra gemaakte kosten</translation>
<translation xml:lang="en">Additional expenses</translation>
</string>
<string id="invoice_total">
<translation xml:lang="nl">Totaal te betalen</translation>
<translation xml:lang="en">Total amount to be paid</translation>
</string>
<string id="invoice_donation">
<translation xml:lang="nl">doneert > 90% van haar totale winst aan goede doelen.</translation>
<translation xml:lang="en">donates > 90% of its entire profits to
charity.</translation>
</string>
<string id="invoice_pleasepay">
<translation xml:lang="nl">Maak binnen 30 dagen het totale bedrag over op de volgende rekening:</translation>
<translation xml:lang="en">Please be so kind to pay within 30 days
by money transfer, to the following account:</translation>
</string>
<string id="invoice_iban">
<translation xml:lang="nl">IBAN</translation>
<translation xml:lang="en">IBAN</translation>
</string>
<string id="invoice_ref">
<translation xml:lang="nl">Referentie</translation>
<translation xml:lang="en">Reference</translation>
</string>
<string id="invoice_regards">
<translation xml:lang="nl">Met vriendelijke groet</translation>
<translation xml:lang="en">Kind regards</translation>
</string>
<string id="invoice_team">
<translation xml:lang="nl">uw team bij</translation>
<translation xml:lang="en">your dedicated team at</translation>
</string>
<string id="invoice_yaygreen">
<translation xml:lang="nl">Spaar papier — niet afdrukken tenzij absoluut noodzakelijk. Lees onze (unieke) voorwaarden op: https://radicallyopensecurity.com/TermsandConditions.pdf</translation>
<translation xml:lang="en">Please keep digital unless absolutely required. Read the (unique) terms and conditions of Radically Open Security at: https://radicallyopensecurity.com/TermsandConditions.pdf</translation>
</string>
<!-- QUICKSCOPING 2 QUOTE -->
<string id="qs2off_about">
<translation xml:lang="nl">Over <client_short/></translation>
<translation xml:lang="en">About <client_short/></translation>
</string>
<string id="qs2off_infrastructure">
<translation xml:lang="nl">Infrastructuur</translation>
<translation xml:lang="en">Infrastructure</translation>
</string>
<string id="qs2off_reach">
<translation xml:lang="nl">Reikwijdte <company_svc_short/></translation>
<translation xml:lang="en">Reach of <company_svc_short/></translation>
</string>
<!-- PERMISSION PARTIES -->
<string id="permission_and">
<translation xml:lang="nl">en</translation>
<translation xml:lang="en">and</translation>
</string>
<!-- WAIVERS -->
<string id="waiver_signed">
<translation xml:lang="nl">Getekend</translation>
<translation xml:lang="en">Signed</translation>
</string>
<string id="waiver_signed_on">
<translation xml:lang="nl">op</translation>
<translation xml:lang="en">on</translation>
</string>
<string id="waiver_signed_in">
<translation xml:lang="nl">in</translation>
<translation xml:lang="en">in</translation>
</string>
<string id="waiver_signed_by">
<translation xml:lang="nl">door</translation>
<translation xml:lang="en">by</translation>
</string>
<string id="waiver_signed_for">
<translation xml:lang="nl">namens</translation>
<translation xml:lang="en">for</translation>
</string>
<string id="signed_dupe">
<translation xml:lang="nl">In duplicaat getekend</translation>
<translation xml:lang="en">Signed in duplicate</translation>
</string>
<!-- CONTRACTS -->
<string id="contract_title">
<translation xml:lang="nl">security consulting agreement</translation>
<translation xml:lang="en">security consulting agreement</translation>
</string>
<string id="contract_whereas">
<translation xml:lang="nl">in aanmerking genomen dat</translation>
<translation xml:lang="en">considering that</translation>
</string>
<string id="contract_agree">
<translation xml:lang="nl">komen het volgende overeen</translation>
<translation xml:lang="en">agree the following</translation>
</string>
<string id="subject_m">
<translation xml:lang="nl">hij</translation>
<translation xml:lang="en">he</translation>
</string>
<string id="subject_f">
<translation xml:lang="nl">ze</translation>
<translation xml:lang="en">she</translation>
</string>
<string id="subject_o">
<translation xml:lang="nl">hen</translation>
<translation xml:lang="en">they</translation>
</string>
<string id="object_m">
<translation xml:lang="nl">hem</translation>
<translation xml:lang="en">him</translation>
</string>
<string id="object_f">
<translation xml:lang="nl">haar</translation>
<translation xml:lang="en">her</translation>
</string>
<string id="object_o">
<translation xml:lang="nl">hen</translation>
<translation xml:lang="en">them</translation>
</string>
<string id="possessive_m">
<translation xml:lang="nl">zijn</translation>
<translation xml:lang="en">his</translation>
</string>
<string id="possessive_f">
<translation xml:lang="nl">haar</translation>
<translation xml:lang="en">her</translation>
</string>
<string id="possessive_o">
<translation xml:lang="nl">hun</translation>
<translation xml:lang="en">their</translation>
</string>
<string id="contract_signed_dupe">
<translation xml:lang="nl">TODOXXXXXXXXXX</translation>
<translation xml:lang="en">As such drawn up in duplicate and signed</translation>
</string>
<date>
<!-- Note: NOT IMPLEMENTED YET - date localisation requires some Saxon HE hacking and it isn't pretty -->
<format xml:lang="nl">[D1] [MNn] [Y]</format>
<format xml:lang="en">[MNn] [D1], [Y]</format>
</date>
<!-- THIS you can change/expand! -->
<!-- COVERPAGE AND HEADERS/FOOTERS -->
<string id="coverpage_offer">
<translation xml:lang="nl">OFFERTE</translation>
<translation xml:lang="en">QUOTE</translation>
</string>
<string id="coverpage_service_pentest">
<translation xml:lang="nl">penetratietestdiensten</translation>
<translation xml:lang="en">penetration testing services</translation>
</string>
<string id="coverpage_service_pentest_short">
<translation xml:lang="nl">penetratietest</translation>
<translation xml:lang="en">penetration test</translation>
</string>
<string id="coverpage_service_retest">
<translation xml:lang="nl">penetratietestdiensten</translation>
<translation xml:lang="en">penetration retesting services</translation>
</string>
<string id="coverpage_service_retest_short">
<translation xml:lang="nl">hertest</translation>
<translation xml:lang="en">retest</translation>
</string>
<string id="coverpage_service_basic-scan">
<translation xml:lang="nl">basis-securityscandiensten</translation>
<translation xml:lang="en">basic security scan services</translation>
</string>
<string id="coverpage_service_basic-scan_short">
<translation xml:lang="nl">basis-securityscan</translation>
<translation xml:lang="en">basic scan</translation>
</string>
<string id="coverpage_service_code-audit">
<translation xml:lang="nl">code-auditing-diensten</translation>
<translation xml:lang="en">code auditing services</translation>
</string>
<string id="coverpage_service_code-audit_short">
<translation xml:lang="nl">code audit</translation>
<translation xml:lang="en">code audit</translation>
</string>
<string id="coverpage_service_load-test">
<translation xml:lang="nl">loadtest-diensten</translation>
<translation xml:lang="en">load testing services</translation>
</string>
<string id="coverpage_service_load-test_short">
<translation xml:lang="nl">load test</translation>
<translation xml:lang="en">load test</translation>
</string>
<string id="coverpage_for">
<translation xml:lang="nl">VOOR</translation>
<translation xml:lang="en">FOR</translation>
</string>
<string id="page_kvk">
<translation xml:lang="nl">Kamer van Koophandel</translation>
<translation xml:lang="en">Chamber of Commerce</translation>
</string>
<!-- INVOICES -->
<string id="invoice_no">
<translation xml:lang="nl">Factuur nr.</translation>
<translation xml:lang="en">Invoice no.</translation>
</string>
<string id="invoice_fao">
<translation xml:lang="nl">T.a.v.</translation>
<translation xml:lang="en">F.a.o.</translation>
</string>
<string id="invoice_svcdeliv">
<translation xml:lang="nl">Geleverde diensten</translation>
<translation xml:lang="en">Services delivered</translation>
</string>
<string id="invoice_days">
<translation xml:lang="nl">daagse</translation>
<translation xml:lang="en">day</translation>
</string>
<string id="invoice_vat">
<translation xml:lang="nl">BTW</translation>
<translation xml:lang="en">VAT</translation>
</string>
<string id="invoice_vatno">
<translation xml:lang="nl">BTW-nummer</translation>
<translation xml:lang="en">VAT number</translation>
</string>
<string id="invoice_additional">
<translation xml:lang="nl">Extra gemaakte kosten</translation>
<translation xml:lang="en">Additional expenses</translation>
</string>
<string id="invoice_total">
<translation xml:lang="nl">Totaal te betalen</translation>
<translation xml:lang="en">Total amount to be paid</translation>
</string>
<string id="invoice_donation">
<translation xml:lang="nl">doneert > 90% van haar totale winst aan goede
doelen.
</translation>
<translation xml:lang="en">donates > 90% of its entire profits to charity.
</translation>
</string>
<string id="invoice_pleasepay">
<translation xml:lang="nl">Maak binnen 30 dagen het totale bedrag over op de
volgende rekening:
</translation>
<translation xml:lang="en">Please be so kind to pay within 30 days by money
transfer, to the following account:
</translation>
</string>
<string id="invoice_iban">
<translation xml:lang="nl">IBAN</translation>
<translation xml:lang="en">IBAN</translation>
</string>
<string id="invoice_ref">
<translation xml:lang="nl">Referentie</translation>
<translation xml:lang="en">Reference</translation>
</string>
<string id="invoice_regards">
<translation xml:lang="nl">Met vriendelijke groet</translation>
<translation xml:lang="en">Kind regards</translation>
</string>
<string id="invoice_team">
<translation xml:lang="nl">uw team bij</translation>
<translation xml:lang="en">your dedicated team at</translation>
</string>
<string id="invoice_yaygreen">
<translation xml:lang="nl">Spaar papier — niet afdrukken tenzij absoluut
noodzakelijk. Lees onze (unieke) voorwaarden op:
https://radicallyopensecurity.com/TermsandConditions.pdf
</translation>
<translation xml:lang="en">Please keep digital unless absolutely required.
Read the (unique) terms and conditions of Radically Open Security at:
https://radicallyopensecurity.com/TermsandConditions.pdf
</translation>
</string>
<!-- QUICKSCOPING 2 QUOTE -->
<string id="qs2off_about">
<translation xml:lang="nl">Over
<client_short/>
</translation>
<translation xml:lang="en">About
<client_short/>
</translation>
</string>
<string id="qs2off_infrastructure">
<translation xml:lang="nl">Infrastructuur</translation>
<translation xml:lang="en">Infrastructure</translation>
</string>
<string id="qs2off_reach">
<translation xml:lang="nl">Reikwijdte
<company_svc_short/>
</translation>
<translation xml:lang="en">Reach of
<company_svc_short/>
</translation>
</string>
<!-- PERMISSION PARTIES -->
<string id="permission_and">
<translation xml:lang="nl">en</translation>
<translation xml:lang="en">and</translation>
</string>
<!-- WAIVERS -->
<string id="waiver_signed">
<translation xml:lang="nl">Getekend</translation>
<translation xml:lang="en">Signed</translation>
</string>
<string id="waiver_signed_on">
<translation xml:lang="nl">op</translation>
<translation xml:lang="en">on</translation>
</string>
<string id="waiver_signed_in">
<translation xml:lang="nl">in</translation>
<translation xml:lang="en">in</translation>
</string>
<string id="waiver_signed_by">
<translation xml:lang="nl">door</translation>
<translation xml:lang="en">by</translation>
</string>
<string id="waiver_signed_for">
<translation xml:lang="nl">namens</translation>
<translation xml:lang="en">for</translation>
</string>
<string id="signed_dupe">
<translation xml:lang="nl">In duplicaat getekend</translation>
<translation xml:lang="en">Signed in duplicate</translation>
</string>
<!-- CONTRACTS -->
<string id="contract_title">
<translation xml:lang="nl">security consulting agreement</translation>
<translation xml:lang="en">security consulting agreement</translation>
</string>
<string id="contract_whereas">
<translation xml:lang="nl">in aanmerking genomen dat</translation>
<translation xml:lang="en">considering that</translation>
</string>
<string id="contract_agree">
<translation xml:lang="nl">komen het volgende overeen</translation>
<translation xml:lang="en">agree the following</translation>
</string>
<string id="subject_m">
<translation xml:lang="nl">hij</translation>
<translation xml:lang="en">he</translation>
</string>
<string id="subject_f">
<translation xml:lang="nl">ze</translation>
<translation xml:lang="en">she</translation>
</string>
<string id="subject_o">
<translation xml:lang="nl">hen</translation>
<translation xml:lang="en">they</translation>
</string>
<string id="object_m">
<translation xml:lang="nl">hem</translation>
<translation xml:lang="en">him</translation>
</string>
<string id="object_f">
<translation xml:lang="nl">haar</translation>
<translation xml:lang="en">her</translation>
</string>
<string id="object_o">
<translation xml:lang="nl">hen</translation>
<translation xml:lang="en">them</translation>
</string>
<string id="possessive_m">
<translation xml:lang="nl">zijn</translation>
<translation xml:lang="en">his</translation>
</string>
<string id="possessive_f">
<translation xml:lang="nl">haar</translation>
<translation xml:lang="en">her</translation>
</string>
<string id="possessive_o">
<translation xml:lang="nl">hun</translation>
<translation xml:lang="en">their</translation>
</string>
<string id="contract_signed_dupe">
<translation xml:lang="nl">TODOXXXXXXXXXX</translation>
<translation xml:lang="en">As such drawn up in duplicate and signed
</translation>
</string>
</localised_strings>

2
xml/source/snippets/offerte/en/conditions.xml
View File

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Terms and Conditions</title>
<!-- snippet --><p><company_short/> will only perform the <company_svc_short/>
<p><company_short/> will only perform the <company_svc_short/>
if it has obtained the permission from <generate_permission_parties/>
as set out in the penetration testing waiver, attached as <b>Annex 2</b>,
or provided in a separate document.</p>

38
xml/source/snippets/offerte/en/crystal-box.xml
View File

@ -1,17 +1,23 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--snippet -->
<?xml version="1.0" encoding="UTF-8"?><!--snippet -->
<section id="crystalboxing">
<title>The Crystal-Box Pentesting Method</title>
<p>
Crystal-box vs. black-box pentesting refers to the amount of information about the target environment, architecture, and/or applications the customer initially shares with the pentesters. With black-box testing, pentesters are given no information whatsoever about the target(s). With crystal-box testing, pentesters are given all information requested about the target(s), including source-code (when relevant), access to developers or system management, etc.
</p>
<p>
<company_short/> will conduct crystal-box pentesting, which is the preferred
method. Unlike real-world attackers who have all of the time in the world,
penetration testing tends to happen within a limited time frame. Crystal-box
pentesting allows us to make the most efficient use of the time allotted, thus
maximizing the number of vulnerabilities that can be found. Additionally
crystal-box pentesting fits naturally hand-in-hand with the "Peek Over Our Shoulder" option that <company_short/> offers to <client_short/>.
</p>
</section>
<!-- end of template -->
<title>The Crystal-Box Pentesting Method</title>
<p>
Crystal-box vs. black-box pentesting refers to the amount of information
about the target environment, architecture, and/or applications the customer
initially shares with the pentesters. With black-box testing, pentesters are
given no information whatsoever about the target(s). With crystal-box
testing, pentesters are given all information requested about the target(s),
including source-code (when relevant), access to developers or system
management, etc.
</p>
<p>
<company_short/>
will conduct crystal-box pentesting, which is the preferred method. Unlike
real-world attackers who have all of the time in the world, penetration
testing tends to happen within a limited time frame. Crystal-box pentesting
allows us to make the most efficient use of the time allotted, thus
maximizing the number of vulnerabilities that can be found. Additionally
crystal-box pentesting fits naturally hand-in-hand with the "Peek Over Our
Shoulder" option that <company_short/> offers to <client_short/>.
</p>
</section><!-- end of template -->

38
xml/source/snippets/offerte/en/disclaimer.xml
View File

@ -1,22 +1,22 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Disclaimer</title>
<p>
It is important to understand the limits of <company_short/>'s services.
<company_short/> does not (and cannot) give guarantees that something is
secure. <company_short/>, instead, has an obligation to make reasonable
efforts (in Dutch: “<i>inspanningsverplichting</i>”) to perform the
agreed services.
</p>
<p>
<company_short/> and <client_short/> agree to take reasonable measures to
maintain the confidentiality of information and any personal data they gain
access to in the course of performing the <company_svc_short/>. Both parties will use the
information and data they receive or access only for the purposes outlined
in this agreement.
<company_short/> warrants that all core-team members, external freelancers,
and volunteers it engages to perform the <company_svc_short/> have signed a
non-disclosure agreement (NDA).
</p>
<title>Disclaimer</title>
<p>
It is important to understand the limits of <company_short/>'s services.
<company_short/> does not (and cannot) give guarantees that something is secure.
<company_short/>, instead, has an obligation to make reasonable efforts (in
Dutch: “<i>inspanningsverplichting</i>”) to perform the agreed services.
</p>
<p>
<company_short/> and <client_short/>
agree to take reasonable measures to maintain the confidentiality of
information and any personal data they gain access to in the course of
performing the <company_svc_short/>. Both parties will use the information
and data they receive or access only for the purposes outlined in this
agreement.
<company_short/> warrants that all core-team members, external freelancers,
and volunteers it engages to perform the <company_svc_short/>
have signed a non-disclosure agreement (NDA).
</p>
</section>

41
xml/source/snippets/offerte/en/disclaimer_code-audit.xml
View File

@ -1,22 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Disclaimer</title>
<p>
It is important to understand the limits of <company_short/>'s services.
<company_short/> does not (and cannot) give guarantees that something is
secure. <company_short/>, instead, has an obligation to make reasonable
efforts (in Dutch: “<i>inspanningsverplichting</i>”) to perform the
agreed services.
</p>
<p>
<company_short/> and <client_short/> agree to take reasonable measures to
maintain the confidentiality of information and any personal data they gain
access to in the course of performing the code audit. Both parties will use the
information and data they receive or access only for the purposes outlined
in this agreement.
<company_short/> warrants that all core-team members, external freelancers,
and volunteers it engages to perform the code audit have signed a
non-disclosure agreement (NDA).
</p>
<title>Disclaimer</title>
<p>
It is important to understand the limits of <company_short/>'s services.
<company_short/>
does not (and cannot) give guarantees that something is secure.
<company_short/>, instead, has an obligation to make reasonable efforts (in
Dutch: “<i>inspanningsverplichting</i>”) to perform the agreed services.
</p>
<p>
<company_short/>
and
<client_short/>
agree to take reasonable measures to maintain the confidentiality of
information and any personal data they gain access to in the course of
performing the code audit. Both parties will use the information and data
they receive or access only for the purposes outlined in this agreement.
<company_short/>
warrants that all core-team members, external freelancers, and volunteers it
engages to perform the code audit have signed a non-disclosure agreement
(NDA).
</p>
</section>

6
xml/source/snippets/offerte/en/engagementtime.xml
View File

@ -1,4 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- snippet --><p>Based on the information provided, we expect
this to be an <p_duration/>-day engagement. The planning of this engagement
is as follows:</p>
<p>Based on the information provided, we expect this to be a <p_duration/>-day
engagement. The planning of this engagement is as follows:
</p>

188
xml/source/snippets/offerte/en/examplewaiver.xml
View File

@ -1,93 +1,117 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="waiver-example">
<title>ANNEX 2 Example Pentest Waiver</title>
<title>ANNEX 2 Example Pentest Waiver</title>
<p><b><i>(Full Client Name)</i> (“<i>(Client)</i>”)</b>, with its registered
office at Somestreet, Somecity, Earth,
Milkyway, and duly represented by <i>(Client's CISO)</i></p>
<p>
<b><i>(Full Client Name)</i> (“<i>(Client)</i>”)</b>, with its registered
office at Somestreet, Somecity, Earth, Milkyway, and duly represented by
<i>(Client's CISO)</i>
</p>
<p><b>WHEREAS:</b></p>
<p>
<b>WHEREAS:</b>
</p>
<p>A. <i>(Client)</i> wants some of its systems tested, <company_long/>
(“<company_short/>”) has offered to perform such testing for <i>(Client)</i>
and <i>(Client)</i> has accepted this offer. The assignment will be performed
by <company_short/>'s core-team members, external freelancers, and/or volunteers
(the “Consultants”).</p>
<p>B. Some of the activities performed by <company_short/> and the Consultants
during the course of this assignment could be considered illegal, unless
<i>(Client)</i> has given permission for these activities. <company_short/>
and the Consultant will only perform such activities if they have received the
required permission.</p>
<p>C. <i>(Client)</i> is willing to give such permission to <company_short/>,
the Consultants, and any other person <company_short/> might employ
or engage for the assignment.</p>
<p>A. <i>(Client)</i> wants some of its systems tested,
<company_long/> (“<company_short/>”) has offered to perform such testing for
<i>(Client)</i> and <i>(Client)</i> has accepted this offer. The assignment
will be performed by <company_short/>'s core-team members, external freelancers,
and/or volunteers (the “Consultants”).
</p>
<p>B. Some of the activities performed by <company_short/>
and the Consultants during the course of this assignment could be considered
illegal, unless <i>(Client)</i>
has given permission for these activities. <company_short/>
and the Consultant will only perform such activities if they have received
the required permission.
</p>
<p>C. <i>(Client)</i> is willing to give such permission to <company_short/>,
the Consultants, and any other person <company_short/> might employ or engage
for the assignment.
</p>
<p><b>DECLARES AS FOLLOWS:</b></p>
<p>1. <i>(Client)</i> is aware that <company_short/> will perform penetration
testing services on the <i>(Client)</i>'s following systems, as
described below. The services are intended to gain insight in the security of
these systems. To do so, <company_short/> will access these systems, attempt to
find vulnerabilities, and gain further access and elevated privileges by
exploiting any vulnerabilities found. <company_short/> will test the following
targets (the “Targets”):
<ul>
<li>Target system</li>
</ul>
</p>
<p>2. <i>(Client)</i> hereby grants <company_short/> and the Consultants on a
date to be confirmed by email the broadest permission
possible to perform the assignment, including the permission to:</p>
<p>
<b>DECLARES AS FOLLOWS:</b>
</p>
<p>1. <i>(Client)</i> is aware that <company_short/>
will perform penetration testing services on the <i>(Client)</i>'s following
systems, as described below. The services are intended to gain insight in
the security of these systems. To do so, <company_short/>
will access these systems, attempt to find vulnerabilities, and gain further
access and elevated privileges by exploiting any vulnerabilities found.
<company_short/> will test the following targets (the “Targets”):
<ul>
<li>Target system</li>
</ul>
</p>
<p>2. <i>(Client)</i> hereby grants <company_short/>
and the Consultants on a date to be confirmed by email the broadest
permission possible to perform the assignment, including the permission to:
</p>
<p>a. enter and use the Targets;</p>
<p>b. circumvent, breach, remove, and turn off any security measures protecting
the Targets;</p>
<p>c. copy, intercept, record, amend, delete, and render unusable or inaccessible
any data stored on, processed by, or transferred via the Targets; and</p>
<p>d. hinder the access or use of the Targets,</p>
<p>a. enter and use the Targets;</p>
<p>b. circumvent, breach, remove, and turn off any security measures
protecting the Targets;
</p>
<p>c. copy, intercept, record, amend, delete, and render unusable or
inaccessible any data stored on, processed by, or transferred via the
Targets; and
</p>
<p>d. hinder the access or use of the Targets,</p>
<p>but <i>(Client)</i> only grants the permission for these activities to the
extent that (i) such activities are necessary to perform the assignment and
(ii) such activities do not disrupt the normal business operations of <i>(Client)</i>.</p>
<p>3. The permission under Article 1 extends to all systems on which the Targets
run, or which <company_short/> or the Consultant might encounter while performing
the assignment, regardless of whether these systems are owned by third parties.</p>
<p>4. <i>(Client)</i> warrants that it has the legal authority to give the
permission set out under Articles 1 and 2. It also warrants it has obtained the
necessary permissions from any third parties referred to under Article 3.</p>
<p>5. Should the public prosecutor initiate an investigation or criminal proceedings
against <company_short/> or any of the consultants it engaged or employed as a
result of the performance of the assignment for the customer, then
<i>(Client)</i> will co-operate fully with <company_short/> in defending against
this investigation or proceedings, including by providing any evidence it has
which relates to this investigation or these proceedings.</p>
<p>but <i>(Client)</i> only grants the permission for these activities to the
extent that (i) such activities are necessary to perform the assignment and
(ii) such activities do not disrupt the normal business operations of <i>
(Client)</i>.
</p>
<p>3. The permission under Article 1 extends to all systems on which the
Targets run, or which <company_short/>
or the Consultant might encounter while performing the assignment,
regardless of whether these systems are owned by third parties.
</p>
<p>4. <i>(Client)</i> warrants that it has the legal authority to give the
permission set out under Articles 1 and 2. It also warrants it has obtained
the necessary permissions from any third parties referred to under Article
3.
</p>
<p>5. Should the public prosecutor initiate an investigation or criminal
proceedings against <company_short/>
or any of the consultants it engaged or employed as a result of the
performance of the assignment for the customer, then
<i>(Client)</i> will co-operate fully with <company_short/>
in defending against this investigation or proceedings, including by
providing any evidence it has which relates to this investigation or these
proceedings.
</p>
<br/>
<table cols="48 433">
<tbody>
<tr>
<td rowspan="4">
Signed
</td>
<td>
on __________________________________
</td>
</tr>
<tr>
<td>
in __________________________________
</td>
</tr>
<tr>
<td>
by __________________________________
</td>
</tr>
<tr>
<td>
for <i>(Full Client Name)</i>
</td>
</tr>
</tbody>
</table>
<br/>
<table cols="48 433">
<tbody>
<tr>
<td rowspan="4">
Signed
</td>
<td>
on __________________________________
</td>
</tr>
<tr>
<td>
in __________________________________
</td>
</tr>
<tr>
<td>
by __________________________________
</td>
</tr>
<tr>
<td>
for <i>(Full Client Name)</i>
</td>
</tr>
</tbody>
</table>
</section>

482
xml/source/snippets/offerte/en/generaltermsandconditions.xml
View File

@ -1,197 +1,289 @@
<?xml version="1.0" encoding="UTF-8"?>
<annex>
<title>Annex 1<br/>General Terms and Conditions</title>
<p><b>What is this document?</b></p>
<p>These are the general terms and conditions (in Dutch: “<i>algemene voorwaarden</i>”)
of <company_long/> (<company_short/>). This version of the general terms and conditions
is dated 15 July 2014.</p>
<p>In the spirit of <company_short/>'s philosophy, <company_short/> wants these
general terms and conditions to be as understandable as possible. If you have any
questions, feel free to ask for clarification.</p>
<p><b>What is <company_long/>?</b></p>
<p><company_short/> is a private limited liability company under Dutch law located
in Amsterdam, The Netherlands. It is registered at the Dutch Chamber of Commerce
under no. 60628081.</p>
<p><b>To what do these terms and conditions apply?</b></p>
<p>These general terms and conditions apply to all agreements between <company_short/>
and the customer. <company_short/> rejects any terms and conditions used by the
customer. The parties can only deviate from these general terms and conditions
in writing. These general terms and conditions are also intended to benefit any
person employed or engaged by <company_short/> during the performance of an assignment.</p>
<p><b>How does <company_short/> agree on an assignment?</b></p>
<p><company_short/> wants both parties to have a clear picture of an assignment
before it starts. This means there only is an agreement between <company_short/>
and the customer after <company_short/> sends a written offer containing the key
terms of the agreement and the customer subsequently accepts the offer.
Communications other than the written offer do not form part of the agreement.
<company_short/> can rescind an offer until it is accepted by the customer.</p>
<p><b>What can the customer expect from <company_short/>?</b></p>
<p>It is important to understand the limits of <company_short/>'s services.
<company_short/> does not (and cannot) give guarantees that something is secure.
<company_short/> instead has an obligation to make reasonable efforts
(in Dutch: “<i>inspanningsverplichting</i>”) to perform the agreed services.</p>
<p><company_short/> will make reasonable efforts to perform the assignment in
accordance with the plan set out in the offer (if any). If <company_short/>
expects it will not fulfill the plan as documented, it will let the customer
know without delay. <company_short/> is not automatically deemed to be in default
if it doesn't meet the plan.</p>
<p><company_short/> will make reasonable efforts to avoid disruption of the
customer's operations and damage to its owned or operated systems, but it
cannot guarantee that this will be avoided. The customer agrees
to this. <company_short/> is not obliged to restore the systems or recover any
data deleted or amended in the course of the assignment.</p>
<p><b>What can <company_short/> expect from the customer?</b></p>
<p>The customer will provide <company_short/> with all means necessary to allow
<company_short/> to perform the agreed services. If <company_short/> needs explicit
permission from the customer to perform its services (for example, when doing
penetration tests) the customer gives this permission. The customer also warrants
that it has the legal authority to give this permission.</p>
<p><b>How do the parties handle confidential information?</b></p>
<p><company_short/> and the customer will not disclose to others confidential
information and personal data they receive from each other or gain access to in
the course of an assignment. <company_short/> has the right to disclose this
information and data to persons engaged by <company_short/>, but only if these
persons have a similar confidentiality obligation vis-á-vis <company_short/>.
Any person will only use the information and data it receives or gains access
to for the purposes following from the agreement. Both parties will take reasonable
measures to maintain the confidentiality of the information and data they received
or gained access to, and will ensure that persons engaged by them do the same.</p>
<p><b>What does <company_short/> do with vulnerabilities it finds in the course
of an assignment?</b></p>
<p>If <company_short/> in the course of an assignment finds a vulnerability which
might affect the customer, it will report this to the customer. If a vulnerability
might affect third parties as well, <company_short/> retains the right to disclose
this vulnerability also to others than the customer. It will only do so after
having given the customer a reasonable period to take measures minimising the
impact of the vulnerability, in line with responsible disclosure best practices.</p>
<p><b>What does <company_short/> do with indicators of compromise it finds?</b></p>
<p>If <company_short/> in the course of an assignment finds indicators of
compromise, such as malware signatures and IP-addresses, it will report this to
the customer. <company_short/> retains the right to also publish this information
in a publicly accessible database. It will only do so after it has given the
customer the opportunity to object to the publication of data which would
negatively impact the customer.</p>
<p><b>Who owns the products developed in the course of the assignment?</b></p>
<p><company_short/> retains any intellectual property rights in products developed
for an assignment, such as software and reports. <company_short/>, however, wants
to teach as many customers as possible 'how to fish'.</p>
<p>For software it developed, this means that <company_short/> gives the customer
a permanent, non-exclusive, transferable, sub-licensable, worldwide license to
distribute and use the software in source and binary forms, with or without
modification (very similar to the BSD-license). If <company_short/>'s software
is based on other software which is provided under a license which restricts
<company_short/>'s ability to license its own software (such as the GPLv3 license),
the more restrictive license will apply.</p>
<p>For other products it developed, such as reports and analyses, <company_short/>
gives the customer the same license, but this license is exclusive to the customer
and does not contain the right to modification. The latter condition is intended
to ensure that the customer will not change <company_short/>'s products, such as
reports and analyses. <company_short/> retains the right to reuse these products,
for example for training and marketing purposes. <company_short/> will remove any
confidential information from these products before publication.</p>
<p><company_short/> retains title to any property transferred to the customer
until all outstanding payments by the customer have been done in full (in Dutch:
<i>eigendomsvoorbehoud</i>”). <company_short/> also only gives a license after
all outstanding payments have been done in full.</p>
<p><b>Who will perform the assignment?</b></p>
<p><company_short/> has the right to appoint the persons who will perform the
assignment. It has the right to replace a person with someone with at least the
same expertise, but only after having consulted with the customer. This means
that section 7:404 Dutch Civil Code (in Dutch: “<i>Burgerlijk Wetboek</i>”) is
excluded.</p>
<p>Due to the nature of <company_short/>'s business, <company_short/> regularly
works with freelancers for the performance of its assignments. <company_short/>
has the right to engage third parties, including freelancers, in the course of
the performance of an assignment.</p>
<p><company_short/> wants to be able to use the expertise of its entire team to
help with an assignment. This means that in the course of an assignment, it is
possible that the persons performing the assignment will consult with and be
advised by others in <company_short/>'s team. These others will of course be
bound by the same confidentiality obligations as the persons performing the assignment.</p>
<p><b>What happens when the scope of the assignment is bigger than agreed?</b></p>
<p><company_short/> and the customer will attempt to precisely define the scope
of the assignment before <company_short/> starts. If during the course of the
assignment, the scope turns out to be bigger than expected, <company_short/>
will report this to the customer and make a written offer for the additional work.</p>
<p><b>How is payment arranged?</b></p>
<p>All amounts in <company_short/>'s offers are in Euros, excluding VAT and
other applicable taxes, unless agreed otherwise.</p>
<p>For assignments where the parties agreed to an hourly fee, <company_short/>
will send an invoice after each month. For other assignments, <company_short/>
will send an invoice after completion of the assignment, and at moments set out
in the offer (if any). The customer must pay an invoice within 30 days of the
invoice date.</p>
<p><company_short/> may, prior to an assignment, agree on the payment of a
deposit by the customer. <company_short/> will settle deposits with interim
payments or the final invoice for the assignment.</p>
<p>If the payment is not received before the agreed term, the client will be
deemed to be in default without prior notice. <company_short/> will then have
the right to charge the statutory interest (in Dutch: “<i>wettelijke rente</i>”)
and any judicial and extrajudicial (collection) costs (in Dutch:
<i>gerechtelijke- en buitengerechtelijke (incasso)kosten</i>”).</p>
<p>If the customer cancels or delays the assignment two weeks before it starts,
<company_short/> is entitled to charge the customer 50% of the agreed price.
If the customer cancels or delays the assignment after it already started,
<company_short/> is entitled to charge the customer 100% of the agreed price.
<company_short/> is entitled to charge a pro rata percentage in the case of
cancellation or delay shorter than two weeks before the start of the assignment
(i.e. a cancellation one week before the assignment would entitle <company_short/>
to charge 75% of the agreed price).</p>
<p><b>For what can <company_short/> be held liable?</b></p>
<p>Any liability of <company_short/> resulting from or related to the performance
of an assignment, shall be limited to the amount that is paid out in that
specific case under an applicable indemnity insurance of <company_short/>,
if any, increased by the amount of the applicable deductible (in Dutch:
<i>eigen risico</i>”) which under that insurance shall be borne by <company_short/>.
If no amount is paid out under an insurance, these damages are limited to the
amount already paid for the assignment, with a maximum of EUR 10.000.
Each claim for damages shall expire after a period of one month from the day
following the day on which the customer became aware or could reasonably
be aware of the existence of the damages.</p>
<p>To make things clear, <company_short/> is not liable if a person associated
with <company_short/> acts contrary to any confidentiality or non-compete
obligation vis-á-vis the customer or a third party, this person might have
agreed to in another engagement.</p>
<p>What happens when third parties lodge a claim or initiate criminal proceedings
against <company_short/>?</p>
<p>The customer shall indemnify <company_short/> and any person employed or
engaged by <company_short/> for any claims of third parties which are in any
way related to the activities of <company_short/> and any person employed or
engaged by <company_short/> for the customer.</p>
<p>Should a third party lodge a claim against <company_short/> or any of the
consultants it engaged or employed as a result of the performance of the assignment
for the customer, then the customer will co-operate fully with <company_short/>
in defending against this claim, including by providing to <company_short/> any
evidence it has which relates to this claim.
Should the public prosecutor initiate an investigation or criminal proceedings
against <company_short/> or any of the consultants it engaged or employed as a
result of the performance of the assignment for the customer, then the customer
will also co-operate fully with <company_short/> in defending against this
investigation or proceedings, including by providing any evidence it has which
relates to this investigation or these proceedings.</p>
<p>The customer shall reimburse <company_short/> and any person employed or
engaged by <company_short/> all costs of legal defence and all damages in
relation to these claims, investigations or proceedings. This provision does
not apply to the extent a claim, investigation, or proceeding is the result of
the intent or recklessness (in Dutch: “<i>opzet of bewuste roekeloosheid</i>”)
of <company_short/> or a person employed or engaged by <company_short/>.</p>
<p><b>When is this agreement terminated and what happens then?</b></p>
<p>Each of the parties may terminate the agreement wholly or partly without
prior notice if the other party is declared bankrupt or is being wound up or if
the other party's affairs are being administered by the court
(in Dutch: “surséance van betaling”).</p>
<p><b>When can <company_short/> not be expected to perform the assignment?</b></p>
<p>In the case of force majeure (in Dutch: “<i>overmacht</i>”) as a result of
which <company_short/> cannot reasonably be expected to perform the assignment,
the performance will be suspended. Situations of force majeure include cases
where means, such as soft- and hardware, which are prescribed by the customer
do not function well. The agreement may be terminated by either party if a
situation of force majeure has continued longer than 90 days. The customer will
then have to pay the amount for the work already performed pro rata.</p>
<p><b>Which law applies and which court is competent?</b></p>
<p>Dutch law applies to the legal relationship between <company_short/> and its
customers. Any dispute between <company_short/> and a customer will be resolved
in the first instance exclusively by the District Court (in Dutch:
<i>rechtbank</i>”) of Amsterdam, the Netherlands.</p>
</annex>
<title>Annex 1<br/>General Terms and Conditions</title>
<p>
<b>What is this document?</b>
</p>
<p>These are the general terms and conditions (in Dutch: “<i>algemene
voorwaarden</i>”) of <company_long/> (<company_short/>). This version of
the general terms and conditions is dated 15 July 2014.
</p>
<p>In the spirit of <company_short/>'s philosophy, <company_short/>
wants these general terms and conditions to be as understandable as
possible. If you have any questions, feel free to ask for clarification.
</p>
<p>
<b>What is <company_long/>?</b>
</p>
<p>
<company_short/> is a private limited liability company under Dutch law
located in Amsterdam, The Netherlands. It is registered at the Dutch
Chamber of Commerce under no. 60628081.
</p>
<p>
<b>To what do these terms and conditions apply?</b>
</p>
<p>These general terms and conditions apply to all agreements between
<company_short/> and the customer. <company_short/>
rejects any terms and conditions used by the customer. The parties can only
deviate from these general terms and conditions in writing. These general
terms and conditions are also intended to benefit any person employed or
engaged by <company_short/> during the performance of an assignment.
</p>
<p>
<b>How does <company_short/> agree on an assignment?
</b>
</p>
<p>
<company_short/> wants both parties to have a clear picture of an assignment
before it starts. This means there only is an agreement between
<company_short/> and the customer after <company_short/>
sends a written offer containing the key terms of the agreement and the
customer subsequently accepts the offer. Communications other than the
written offer do not form part of the agreement. <company_short/>
can rescind an offer until it is accepted by the customer.
</p>
<p>
<b>What can the customer expect from <company_short/>?</b>
</p>
<p>It is important to understand the limits of <company_short/>'s services.
<company_short/> does not (and cannot) give guarantees that something is secure.
<company_short/> instead has an obligation to make reasonable efforts (in
Dutch: “<i>inspanningsverplichting</i>”) to perform the agreed services.
</p>
<p>
<company_short/> will make reasonable efforts to perform the assignment in
accordance with the plan set out in the offer (if any). If <company_short/>
expects it will not fulfill the plan as documented, it will let the customer
know without delay. <company_short/> is not automatically deemed to be in
default if it doesn't meet the plan.
</p>
<p>
<company_short/> will make reasonable efforts to avoid disruption of the
customer's operations and damage to its owned or operated systems, but it cannot
guarantee that this will be avoided. The customer agrees to this. <company_short/>
is not obliged to restore the systems or recover any data deleted or amended
in the course of the assignment.
</p>
<p>
<b>What can <company_short/> expect from the customer?</b>
</p>
<p>The customer will provide <company_short/> with all means necessary to allow
<company_short/> to perform the agreed services. If <company_short/>
needs explicit permission from the customer to perform its services (for
example, when doing penetration tests) the customer gives this permission.
The customer also warrants that it has the legal authority to give this
permission.
</p>
<p>
<b>How do the parties handle confidential information?</b>
</p>
<p>
<company_short/> and the customer will not disclose to others confidential
information and personal data they receive from each other or gain access
to in the course of an assignment. <company_short/>
has the right to disclose this information and data to persons engaged by
<company_short/>, but only if these persons have a similar confidentiality
obligation vis-á-vis <company_short/>. Any person will only use the
information and data it receives or gains access to for the purposes
following from the agreement. Both parties will take reasonable measures to
maintain the confidentiality of the information and data they received or
gained access to, and will ensure that persons engaged by them do the same.
</p>
<p>
<b>What does <company_short/> do with vulnerabilities it finds in the course
of an assignment?</b>
</p>
<p>If <company_short/> in the course of an assignment finds a vulnerability
which might affect the customer, it will report this to the customer. If a
vulnerability might affect third parties as well, <company_short/>
retains the right to disclose this vulnerability also to others than the
customer. It will only do so after having given the customer a reasonable
period to take measures minimising the impact of the vulnerability, in line
with responsible disclosure best practices.
</p>
<p>
<b>What does <company_short/> do with indicators of compromise it finds?</b>
</p>
<p>If <company_short/> in the course of an assignment finds indicators of
compromise, such as malware signatures and IP-addresses, it will report this
to the customer. <company_short/> retains the right to also publish this
information in a publicly accessible database. It will only do so after it
has given the customer the opportunity to object to the publication of data
which would negatively impact the customer.
</p>
<p>
<b>Who owns the products developed in the course of the assignment?</b>
</p>
<p>
<company_short/> retains any intellectual property rights in products
developed for an assignment, such as software and reports.<company_short/>,
however, wants to teach as many customers as possible 'how to fish'.
</p>
<p>For software it developed, this means that <company_short/>
gives the customer a permanent, non-exclusive, transferable, sub-licensable,
worldwide license to distribute and use the software in source and binary
forms, with or without modification (very similar to the BSD-license). If
<company_short/>'s software is based on other software which is provided
under a license which restricts <company_short/>'s ability to license its
own software (such as the GPLv3 license), the more restrictive license will
apply.
</p>
<p>For other products it developed, such as reports and analyses,
<company_short/> gives the customer the same license, but this license is
exclusive to the customer and does not contain the right to modification.
The latter condition is intended to ensure that the customer will not change
<company_short/>'s products, such as reports and analyses.
<company_short/> retains the right to reuse these products, for example for
training and marketing purposes. <company_short/> will remove any confidential
information from these products before publication.
</p>
<p>
<company_short/> retains title to any property transferred to the customer
until all outstanding payments by the customer have been done in full (in Dutch:
<i>eigendomsvoorbehoud</i>”). <company_short/> also only gives a license after
all outstanding payments have been made in full.
</p>
<p>
<b>Who will perform the assignment?</b>
</p>
<p>
<company_short/> has the right to appoint the persons who will perform the
assignment. It has the right to replace a person with someone with at least
the same expertise, but only after having consulted with the customer.
This means that section 7:404 Dutch Civil Code (in Dutch: “<i>Burgerlijk
Wetboek</i>”) is excluded.
</p>
<p>Due to the nature of <company_short/>'s business, <company_short/>
regularly works with freelancers for the performance of its assignments.
<company_short/> has the right to engage third parties, including freelancers,
in the course of the performance of an assignment.
</p>
<p>
<company_short/>
wants to be able to use the expertise of its entire team to help with an
assignment. This means that in the course of an assignment, it is possible
that the persons performing the assignment will consult with and be advised
by others in <company_short/>'s team. These others will of course be bound by
the same confidentiality obligations as the persons performing the
assignment.
</p>
<p>
<b>What happens when the scope of the assignment is bigger than agreed?</b>
</p>
<p>
<company_short/> and the customer will attempt to precisely define the scope
of the assignment before <company_short/> starts. If during the course of the
assignment, the scope turns out to be bigger than expected, <company_short/>
will report this to the customer and make a written offer for the additional
work.
</p>
<p>
<b>How is payment arranged?</b>
</p>
<p>All amounts in <company_short/>'s offers are in Euros, excluding VAT and
other applicable taxes, unless agreed otherwise.
</p>
<p>For assignments where the parties agreed to an hourly fee, <company_short/>
will send an invoice after each month. For other assignments, <company_short/>
will send an invoice after completion of the assignment, and at moments set
out in the offer (if any). The customer must pay an invoice within 30 days
of the invoice date.
</p>
<p>
<company_short/> may, prior to an assignment, agree on the payment of a
deposit by the customer. <company_short/> will settle deposits with interim
payments or the final invoice for the assignment.
</p>
<p>If the payment is not received before the agreed term, the client will be
deemed to be in default without prior notice. <company_short/>
will then have the right to charge the statutory interest (in Dutch:
<i>wettelijke rente</i>”) and any judicial and extrajudicial (collection)
costs (in Dutch: “<i>gerechtelijke- en buitengerechtelijke
(incasso)kosten</i>”).
</p>
<p>If the customer cancels or delays the assignment two weeks before it
starts, <company_short/> is entitled to charge the customer 50% of the agreed
price. If the customer cancels or delays the assignment after it already started,
<company_short/> is entitled to charge the customer 100% of the agreed price.
<company_short/> is entitled to charge a pro rata percentage in the case of
cancellation or delay shorter than two weeks before the start of the assignment
(i.e. a cancellation one week before the assignment would entitle
<company_short/> to charge 75% of the agreed price).
</p>
<p>
<b>For what can <company_short/> be held liable?</b>
</p>
<p>Any liability of <company_short/> resulting from or related to the performance
of an assignment, shall be limited to the amount that is paid out in that
specific case under an applicable indemnity insurance of <company_short/>,
if any, increased by the amount of the applicable deductible (in Dutch:
<i>eigen risico</i>”) which under that insurance shall be borne by
<company_short/>. If no amount is paid out under an insurance, these damages
are limited to the amount already paid for the assignment, with a maximum of
EUR 10.000. Each claim for damages shall expire after a period of one month
from the day following the day on which the customer became aware or could
reasonably be aware of the existence of the damages.
</p>
<p>To make things clear, <company_short/> is not liable if a person associated with
<company_short/> acts contrary to any confidentiality or non-compete obligation
vis-á-vis the customer or a third party, this person might have agreed to in another
engagement.
</p>
<p><b>What happens when third parties lodge a claim or initiate criminal
proceedings against <company_short/>?</b>
</p>
<p>The customer shall indemnify <company_short/> and any person employed or engaged by
<company_short/> for any claims of third parties which are in any way related to the
activities of <company_short/> and any person employed or engaged by
<company_short/> for the customer.
</p>
<p>Should a third party lodge a claim against <company_short/>
or any of the consultants it engaged or employed as a result of the
performance of the assignment for the customer, then the customer will
co-operate fully with <company_short/> in defending against this claim,
including by providing to <company_short/> any evidence it has which
relates to this claim. Should the public prosecutor initiate an investigation
or criminal proceedings against <company_short/>
or any of the consultants it engaged or employed as a result of the
performance of the assignment for the customer, then the customer will also
co-operate fully with <company_short/>
in defending against this investigation or proceedings, including by
providing any evidence it has which relates to this investigation or these
proceedings.
</p>
<p>The customer shall reimburse <company_short/> and any person employed or engaged by
<company_short/> all costs of legal defence and all damages in relation to these claims,
investigations or proceedings. This provision does not apply to the extent a
claim, investigation, or proceeding is the result of the intent or
recklessness (in Dutch: “<i>opzet of bewuste roekeloosheid</i>”) of
<company_short/> or a person employed or engaged by <company_short/>.
</p>
<p>
<b>When is this agreement terminated and what happens then?</b>
</p>
<p>Each of the parties may terminate the agreement wholly or partly without
prior notice if the other party is declared bankrupt or is being wound up or
if the other party's affairs are being administered by the court (in Dutch:
“surséance van betaling”).
</p>
<p>
<b>When can <company_short/> not be expected to perform the assignment?</b>
</p>
<p>In the case of force majeure (in Dutch: “<i>overmacht</i>”) as a result of
which <company_short/> cannot reasonably be expected to perform the assignment,
the performance will be suspended. Situations of force majeure include cases
where means, such as soft- and hardware, which are prescribed by the customer
do not function well. The agreement may be terminated by either party if a
situation of force majeure has continued longer than 90 days. The customer
will then have to pay the amount for the work already performed pro rata.
</p>
<p>
<b>Which law applies and which court is competent?</b>
</p>
<p>Dutch law applies to the legal relationship between <company_short/>
and its customers. Any dispute between <company_short/>
and a customer will be resolved in the first instance exclusively by the
District Court (in Dutch: “<i>rechtbank</i>”) of Amsterdam, the Netherlands.
</p>
</annex>

29
xml/source/snippets/offerte/en/grey-box.xml
View File

@ -1,17 +1,18 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="greyboxing">
<title>The Grey-Box Pentesting Method</title>
<p>
<!--snippet -->Crystal-Box vs. Black-Box pentesting refers to the amount of information
regarding the target environment, architecture, and/or applications that is
initially shared by the customer with the pentesters. With Black-Box testing,
pentesters are given no information whatsoever about the target(s). With
Crystal-Box testing, pentesters are given all information requested about the target(s),
including source-code (when relevant), access to developers or system management, etc..
<br />
<br />
<company_short/> will conduct Gray-Box testing, which means that partial information is
given on the target.
</p>
<title>The Grey-Box Pentesting Method</title>
<p>
<!--snippet -->Crystal-Box vs. Black-Box pentesting refers to the amount of
information regarding the target environment, architecture, and/or
applications that is initially shared by the customer with the pentesters.
With Black-Box testing, pentesters are given no information whatsoever about
the target(s). With Crystal-Box testing, pentesters are given all
information requested about the target(s), including source-code (when
relevant), access to developers or system management, etc..
</p>
<p>
<company_short/>
will conduct Gray-Box testing, which means that partial information is given
on the target.
</p>
</section>

23
xml/source/snippets/offerte/en/introandscope.xml
View File

@ -1,11 +1,12 @@
<section xmlns:xi="http://www.w3.org/2001/XInclude">
<title>Introduction</title>
<p><client_long/> (hereafter “<b><client_short/></b>”), with its registered office
at <client_street/>, <client_city/>, <client_country/>, has requested <company_long/>
(hereafter “<b><company_short/></b>”) to perform <company_svc_long/>.
Motivation for this request is that <client_short/> wishes to get a better
insight in ...</p>
<p>This offer sets out the scope of the work and the terms and conditions under
which <company_short/> will perform these services.</p>
</section>
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Introduction</title>
<p><client_long/> (hereafter “<b><client_short/></b>”), with its registered office
at <client_street/>, <client_city/>, <client_country/>, has requested <company_long/>
(hereafter “<b><company_short/></b>”) to perform <company_svc_long/>.
The motivation for this request is that <client_short/> wishes to get a better
insight into ...</p>
<p>This offer sets out the scope of the work and the terms and conditions under
which <company_short/> will perform these services.</p>
</section>

26
xml/source/snippets/offerte/en/introandscope_retest.xml
View File

@ -1,10 +1,16 @@
<section xmlns:xi="http://www.w3.org/2001/XInclude">
<title>Introduction</title>
<p><client_long/> (hereafter “<b><client_short/></b>”), with its registered office
at <client_street/>, <client_city/>, <client_country/>, has requested <company_long/>
(hereafter “<b><company_short/></b>”) to perform <company_svc_long/>.
Motivation for this request is that <client_short/> recently had penetration test done by <company_short/> and wishes to test if the vulnerabilities have been mitigated.</p>
<p>This offer sets out the scope of the work and the terms and conditions under
which <company_short/> will perform these services.</p>
</section>
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Introduction</title>
<p>
<client_long/> (hereafter “<b><client_short/></b>”), with its registered office at
<client_street/>, <client_city/>, <client_country/>, has requested <company_long/>
(hereafter “<b><company_short/></b>”) to perform <company_svc_long/>.</p>
<p>The motivation for this request is that <client_short/> has had a recent penetration
test done by <company_short/> and wishes to check that the vulnerabilities found
have been mitigated.
</p>
<p>This offer sets out the scope of the work and the terms and conditions
under which <company_short/> will perform these services.
</p>
</section>

133
xml/source/snippets/offerte/en/methodology.xml
View File

@ -1,67 +1,90 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Pentest Methodology</title>
<p>During the execution of penetration tests, <company_long/>
broadly follows the following steps:
</p>
<section xmlns:xi="http://www.w3.org/2001/XInclude">
<title>Pentest Methodology</title>
<p>During the execution of penetration tests, <company_long/> broadly follows
the following steps:</p>
<ol>
<li>Requirements Gathering and Scoping;</li>
<li>Discovery;</li>
<li>Validation;</li>
<li>Information Collection;</li>
<li>Threat and Vulnerability Analysis;</li>
<li>Exploitation;</li>
<li>Reporting;</li>
</ol>
<ol>
<li>Requirements Gathering and Scoping; </li>
<li>Discovery;</li>
<li>Validation;</li>
<li>Information Collection;</li>
<li>Threat and Vulnerability Analysis;</li>
<li>Exploitation;</li>
<li>Reporting;</li>
</ol>
<p>
<b>Step 1: Requirements Gathering and Scoping</b>
<br/>
The expectations of both parties are discussed and agreements are made
regarding how to conduct the test(s). For example, contact details and the
pentest's scope are documented.
</p>
<p><b>Step 1: Requirements Gathering and Scoping</b> <br/>
The expectations of both parties are discussed and agreements are made regarding
how to conduct the test(s). For example, contact details and the pentest's scope
are documented.</p>
<p>
<b>Step 2: Discovery</b>
<br/>
As much information as possible about the target organization and target
objects is collected. This information is passively gathered, primarily from
public sources.
</p>
<p><b>Step 2: Discovery</b><br/>
As much information as possible about the target organization and target objects
is collected. This information is passively gathered, primarily from public sources.</p>
<p>
<b>Step 3: Validation</b>
<br/>
All customer-specified systems are cross-referenced with findings from the
Discovery step. We do this to ensure that discovered systems are legal
property of the customer and to verify the scope with the customer.
</p>
<p><b>Step 3: Validation</b><br/>
All customer-specified systems are cross-referenced with findings from the
Discovery step. We do this to ensure that discovered systems are legal property
of the customer and to verify the scope with the customer.</p>
<p>
<b>Step 4: Information Collection</b>
<br/>
Information from Step 2 is now used to actively collect information about
the system. Activities conducted during this phase may include: Determining
which parts of the various components will be investigated; Testing for the
presence of known vulnerabilities, using automated tests; Identifying the
offered services and fingerprinting the software used for them.
</p>
<p><b>Step 4: Information Collection</b><br/>
Information from Step 2 is now used to actively collect information about the
system. Activities conducted during this phase may include:
Determining which parts of the various components will be investigated;
Testing for the presence of known vulnerabilities, using automated tests;
Identifying the offered services and fingerprinting the software used for them.</p>
<p>
<b>Step 5: Threat and Vulnerability Analysis</b>
<br/>
Potential threats and vulnerabilities are indexed, based upon the collected
information.
</p>
<p><b>Step 5: Threat and Vulnerability Analysis</b><br/>
Potential threats and vulnerabilities are indexed, based upon the collected information.</p>
<p>
<b>Step 6: Exploitation</b>
<br/>
Attempt to use vulnerabilities of the various components. The diverse
applications and components of the client's infrastructure are rigorously
probed for frequently occurring design, configuration, and programming
errors.
</p>
<p><b>Step 6: Exploitation</b><br/>
Attempt to use vulnerabilities of the various components.
The diverse applications and components of the client's infrastructure are
rigorously probed for frequently occurring design, configuration, and
programming errors.</p>
<p>Note: <company_long/> uses open-source scanning tools to get its bearings,
but generally performs most of the exploitation by hand.
</p>
<p>Note: <company_long/> uses open-source scanning tools to get its bearings,
but generally performs most of the exploitation by hand.</p>
<p><b>Step 7: Reporting</b><br/>
After finishing the audit, a report will be delivered where the step-by-step
approach, results, and discovered vulnerabilities are described. The report and
results will be presented to the responsible project leader or manager at the
client's office.</p>
<p>Steps 4-6 may be repeated multiple times per test. For example, access may be
acquired in an external system, which serves as a stepping-stone to the internal network.
The internal network will then be explored in Steps 4 and 5, and exploited in Step 6.</p>
<!--DO NOT INCLUDE ANY OF THESE-->
<!--xi:include href="crystal-box.xml"/-->
<!--xi:include href="black-box.xml"/-->
<!--xi:include href="grey-box.xml"/-->
<p>
<b>Step 7: Reporting</b>
<br/>
After finishing the audit, a report will be delivered where the step-by-step
approach, results, and discovered vulnerabilities are described. The report
and results will be presented to the responsible project leader or manager
at the client's office.
</p>
<p>Steps 4-6 may be repeated multiple times per test. For example, access may
be acquired in an external system, which serves as a stepping-stone to the
internal network. The internal network will then be explored in Steps 4 and
5, and exploited in Step 6.
</p>
<!--DO NOT INCLUDE ANY OF THESE-->
<!--xi:include href="crystal-box.xml"/-->
<!--xi:include href="black-box.xml"/-->
<!--xi:include href="grey-box.xml"/-->
</section>

80
xml/source/snippets/offerte/en/methodology_code-audit.xml
View File

@ -2,44 +2,56 @@
<section>
<title>Code Audit</title>
<p>
<company_short/> will perform a code audit. During this process we will verify if the proper
security controls are present, work as intended and are implemented correctly.
If vulnerabilities are found, we determine the threat level by assessing the
likelihood of exploitation of this vulnerability and the impact on the
Confidentiality, Integrity and Availability (CIA) of the system. We will describe how an
attacker would exploit the vulnerability and suggest ways of fixing it.<br/>
This requires an extensive knowledge of the platform the application is running on, as well
as the extensive knowledge of the language the application in written
in and patterns that have been used. Therefore a code audit done by highly-trained
specialists with a strong background in programming.
<company_short/>
will perform a code audit. During this process we will verify if the proper
security controls are present, work as intended and are implemented
correctly. If vulnerabilities are found, we determine the threat level by
assessing the likelihood of exploitation of this vulnerability and the
impact on the Confidentiality, Integrity and Availability (CIA) of the
system. We will describe how an attacker would exploit the vulnerability and
suggest ways of fixing it.
<br/>
This requires an extensive knowledge of the platform the application is
running on, as well as the extensive knowledge of the language the
application in written in and patterns that have been used. Therefore a code
audit done by highly-trained specialists with a strong background in
programming.
</p>
<p>
During the code audit, we take the following approach:
During the code audit, we take the following approach:
</p>
<ol>
<li>Thorough comprehension of functionality<br/>
We try to get a thorough comprehension of how the application works and how
it interacts with the user and other systems. Having detailed documentation
(manuals, flow charts, system sequence diagrams, design documentation) at
this stage is very helpful, as they aid the understanding of the application
</li>
<li>Static analysis<br/>
Using the understanding we gained in the previous step, we will use static code
analysis to uncover any vulnerabilities. Static analysis means the specialist will
analyze the code and implementation of security controls to get an understanding of
the security of the application, rather than running the application to reach the same
goal. This is primarily a manual process, where the specialist relies on his knowledge and expertise
to find the flaws in the application. The specialist may be aided in this process by
automatic analysis tools, but his or her skills are the driving force.<br/>
Depending on the type of application, we will identify the endpoints. In this case, it means
where data enters and leaves the application. The data is then followed through the application
and is leading in determining if assessing the quality of the security measures.
</li>
<li>Thorough comprehension of functionality
<br/>
We try to get a thorough comprehension of how the application works and
how it interacts with the user and other systems. Having detailed
documentation (manuals, flow charts, system sequence diagrams, design
documentation) at this stage is very helpful, as they aid the
understanding of the application
</li>
<li>Static analysis
<br/>
Using the understanding we gained in the previous step, we will use static
code analysis to uncover any vulnerabilities. Static analysis means the
specialist will analyze the code and implementation of security controls
to get an understanding of the security of the application, rather than
running the application to reach the same goal. This is primarily a manual
process, where the specialist relies on his knowledge and expertise to
find the flaws in the application. The specialist may be aided in this
process by automatic analysis tools, but his or her skills are the driving
force.
<br/>
Depending on the type of application, we will identify the endpoints. In
this case, it means where data enters and leaves the application. The data
is then followed through the application and is leading in determining if
assessing the quality of the security measures.
</li>
<li>Dynamic analysis<br/>
Dynamic analysis can also be performed. In this case, the program
is run and actively exploited by the specialist. This is usually done to confirm
a vulnerability and as such follows the result of the static analysis.
</li>
<li>Dynamic analysis
<br/>
Dynamic analysis can also be performed. In this case, the program is run
and actively exploited by the specialist. This is usually done to confirm
a vulnerability and as such follows the result of the static analysis.
</li>
</ol>
</section>

15
xml/source/snippets/offerte/en/methodology_load-test.xml
View File

@ -7,7 +7,7 @@
performance requirement, in a consistent and repeatable way. For web sites
and applications it usually involves simulating multiple visitors using the
site's features in various ways. This sets it apart from DDoS testing, which
is much more indiscriminate. For load testing, <company_long/>
is much more indiscriminate. For load testing, <company_short/>
generally executes the following steps:
</p>
@ -30,8 +30,8 @@
to see whether it brings performance improvements. These reasons boil down
to running some specific tests, usually one or more of:
<ul>
<li>How much activity a system can cope with before it starts to fail (maximum
simultaneous users, maximum request rate)
<li>How much activity a system can cope with before it starts to fail
(maximum simultaneous users, maximum request rate)
</li>
<li>What level of performance can be sustained for a given load (average
response time for a fixed number of users)
@ -116,13 +116,12 @@
100, 500, 1000, 2000 users, or a maximum load test using a slow increase
from 100 to 10000 users to see how far it gets before problems appear.
</p>
<p>There are many load testing tools of varying levels of sophistication,
including Apache's simple "ab" and more complex "JMeter" projects, the
Selenium project for fine-detail browser simulation.
<company_long/>
Selenium project for fine-detail browser simulation. <company_long/>
prefers to use open-source tools such as these. There are also online
commercial services that are useful for testing very large loads that
would otherwise be difficult and expensive to configure from scratch.
commercial services that are useful for testing very large loads that would
otherwise be difficult and expensive to configure from scratch.
</p>
</section>

3
xml/source/snippets/offerte/en/phishing.xml
View File

@ -1,5 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--snippet -->
<section>
<title>Social Engineering: Phishing</title>
<p> <company_short/>
@ -48,4 +47,4 @@
(hopefully) been received, the logged results are analyzed and presented
in the final report.
</p>
</section>
</section>

9
xml/source/snippets/offerte/en/planningandpayment.xml
View File

@ -6,15 +6,14 @@
<li><company_short/> performs a <company_svc_short/> on <p_testingduration/>.</li>
<li><company_short/> delivers the final report <p_reportdue/>.</li>
</ul>
<!-- snippet --><p>
Our fixed-fee price quote for the above described <company_svc_short/> is <p_fee/>.- excl. VAT and out-of-pocket expenses.
<p>
Our fixed-fee price quote for the above described <company_svc_short/> is <p_fee/>.-
excl. VAT and out-of-pocket expenses.
<company_short/> will send an invoice after the completion of this assignment.
<client_short/> will pay the agreed amount within 30 days of the invoice date.
</p>
<!-- snippet --><p>
<p>
Any additional work will be charged separately. An hourly
rate for additional work will be agreed upon before starting this work.
</p>
</section>

77
xml/source/snippets/offerte/en/projectoverview.xml
View File

@ -1,38 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Project Overview</title><!-- section with an overview of ROS activities -->
<!-- snippet --><p><company_short/> will perform <company_svc_long/>
for <client_short/> of the systems described below. The services are intended
to gain insight into the security of these systems. To do so, <company_short/>
will access these systems, attempt to find vulnerabilities, and gain
further access and elevated privileges by exploiting any vulnerabilities
found.</p>
<!-- snippet --><p><company_short/> will test the following targets
(the “<b>Targets</b>”):</p>
<generate_targets/>
<!-- snippet --><p><company_short/> will test for the presence of the
most common vulnerabilities, using both publicly available vulnerability
scanning tools and manual testing. <company_short/> shall perform a
<p_duration/>-day (<p_mandays/>-manday), <p_boxtype/>, intrusive test via the internet.</p>
<!-- snippet --> <!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is possible that in the course of the penetration
testing, <company_short/> might hinder the operations of the Targets or
cause damage to the Targets. <client_short/> gives permission for this, to
the extent that <company_short/> does not act negligently or
recklessly. <client_short/> also warrants it has the authority to give such
permission.</p-->
<!-- snippet --><!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is important to understand the limits of
<company_short/>'s services. <company_short/> does not (and cannot)
give guarantees that something is secure. <company_short/> instead has
an obligation to make reasonable efforts (in Dutch:
<i>inspanningsverplichting</i>”) to perform the agreed services.</p-->
<!--REMOVE commented-out text above if not including Disclaimer-->
</section>
<!-- section with an overview of ROS activities -->
<title>Project Overview</title>
<p>
<company_short/> will perform <company_svc_long/> for <client_short/>
of the systems described below. The services are intended to gain insight
into the security of these systems. To do so, <company_short/>
will access these systems, attempt to find vulnerabilities, and gain further
access and elevated privileges by exploiting any vulnerabilities found.
</p>
<p>
<company_short/> will test the following targets (the “<b>Targets</b>”):
</p>
<generate_targets/>
<p>
<company_short/> will test for the presence of the most common
vulnerabilities, using both publicly available vulnerability scanning
tools and manual testing. <company_short/> shall perform a
<p_duration/>-day (<p_mandays/>-manday), <p_boxtype/>, intrusive test via the
internet.
</p>
<!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is possible that in the course of the penetration
testing, <company_short/> might hinder the operations of the Targets or
cause damage to the Targets. <client_short/> gives permission for this, to
the extent that <company_short/> does not act negligently or
recklessly. <client_short/> also warrants it has the authority to give such
permission.</p-->
<!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is important to understand the limits of
<company_short/>'s services. <company_short/> does not (and cannot)
give guarantees that something is secure. <company_short/> instead has
an obligation to make reasonable efforts (in Dutch:
<i>inspanningsverplichting</i>”) to perform the agreed services.</p-->
<!--REMOVE commented-out text above if not including Disclaimer-->
</section>

61
xml/source/snippets/offerte/en/projectoverview_retest.xml
View File

@ -1,27 +1,38 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Project Overview</title><!-- section with an overview of ROS activities -->
<!-- snippet --><p><company_short/> will perform <company_svc_long/>
for <client_short/> as a follow-up on the previous test in <b>XXXXXXXXXX TODO XXXXXXXXXX (timeframe of previous pentest)</b>. The services are intended to see if the previously discovered exploits are patched correctly. To do so, <company_short/> will access the systems again and test the findings from the previous penetration test (the “<b>Targets</b>”):</p>
<generate_targets/>
<!-- snippet --><p><company_short/> will test using both publicly available vulnerability scanning tools and manual testing. <company_short/> shall perform a <p_duration/>-day, <p_boxtype/> follow-up penetration test via the internet.</p>
<!-- snippet --> <!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is possible that in the course of the penetration
testing, <company_short/> might hinder the operations of the Targets or
cause damage to the Targets. <client_short/> gives permission for this, to
the extent that <company_short/> does not act negligently or
recklessly. <client_short/> also warrants it has the authority to give such
permission.</p-->
<!-- snippet --><!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is important to understand the limits of
<company_short/>'s services. <company_short/> does not (and cannot)
give guarantees that something is secure. <company_short/> instead has
an obligation to make reasonable efforts (in Dutch:
<i>inspanningsverplichting</i>”) to perform the agreed services.</p-->
<!--REMOVE commented-out text above if not including Disclaimer-->
</section>
<!-- section with an overview of ROS activities -->
<title>Project Overview</title>
<p>
<company_short/> will perform <company_svc_long/> for <client_short/>
as a follow-up on the previous test in <b>XXXXXXXXXX TODO XXXXXXXXXX
(timeframe of previous pentest)</b>. The services are intended to see if the
previously discovered exploits are patched correctly. To do so,
<company_short/> will access the systems again and test the findings
from the previous penetration test (the “<b>Targets</b>”):
</p>
<generate_targets/>
<p>
<company_short/> will test using both publicly available vulnerability
scanning tools and manual testing. <company_short/> shall perform a
<p_duration/>-day, <p_boxtype/> follow-up penetration test via the internet.
</p>
<!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is possible that in the course of the penetration
testing, <company_short/> might hinder the operations of the Targets or
cause damage to the Targets. <client_short/> gives permission for this, to
the extent that <company_short/> does not act negligently or
recklessly. <client_short/> also warrants it has the authority to give such
permission.</p-->
<!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is important to understand the limits of
<company_short/>'s services. <company_short/> does not (and cannot)
give guarantees that something is secure. <company_short/> instead has
an obligation to make reasonable efforts (in Dutch:
<i>inspanningsverplichting</i>”) to perform the agreed services.</p-->
<!--REMOVE commented-out text above if not including Disclaimer-->
</section>

106
xml/source/snippets/offerte/en/teamandreporting.xml
View File

@ -1,51 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Team and Reporting</title>
<title>Team and Reporting</title>
<section>
<title>Team</title>
<p><company_short/> may perform the activities with its core-team
members, external freelancers, and/or volunteers.</p>
<p>First point of contact for this assignment shall be:</p>
<ul>
<li><company_poc1/> (<company_short/>)</li>
<li><client_poc1/> (<client_short/>)</li>
</ul>
<!-- remove this for non pentesting offers-->
<p>The workflow of our penetration testing team is modeled on that of a Capture The Flag (CTF) team:
<!-- remove this for non pentesting offers-->
<company_long/> has a geographically distributed team
and we use online infrastructure (RocketChat, GitLabs, etc.)
to coordinate our work. This enables us to invite the
customer to send several technical people from their
organization to join our <company_svc_short/> team on a volunteer basis.
Naturally, we extend this invitation to <client_short/> as well.</p>
<p>Throughout the course of the audit, we intend to actively
brainstorm with <client_short/> about both the <company_svc_short/> and the process.
This is a continuous learning experience for both us and you.
Also, in our experience, a tight feedback loop with the customer
greatly improves both the quality and focus of the engagement.</p>
<section>
<title>Team</title>
<p>
<company_short/> may perform the activities with its core-team members,
external freelancers, and/or volunteers.
</p>
<p>First point of contact for this assignment shall be:</p>
<ul>
<li>
<company_poc1/> (<company_short/>)
</li>
<li>
<client_poc1/> (<client_short/>)
</li>
</ul>
<!-- remove this for non pentesting offers-->
<p>The workflow of our penetration testing team is modeled on that of a
Capture The Flag (CTF) team:
<!-- remove this for non pentesting offers-->
</section>
<section>
<title>Reporting</title>
<p><company_short/> will report to <client_short/> on the <company_svc_short/>.
This report will include the steps it has taken during the
test and the vulnerabilities it has found. It will include
recommendations but not comprehensive solutions on how to address
these vulnerabilities.</p>
<p>A sample Pentest report can be found here</p>
<ul>
<li><a href="https://github.com/radicallyopensecurity/templates/blob/master/sample-report/REP_SittingDuck-pentestreport-v10.pdf">https://github.com/radicallyopensecurity/templates/blob/master/sample-report/REP_SittingDuck-pentestreport-v10.pdf</a></li>
</ul>
<p>One of <company_short/>'s Core Principles is the Teach
To Fish principle otherwise known as the 'Peek over our
Shoulder' (PooS) principle. We strive to structure our
services so they can also serve as a teaching or training
opportunity for our customers.</p>
</section>
<company_long/> has a geographically distributed team and we use online
infrastructure (RocketChat, GitLabs, etc.) to coordinate our work. This
enables us to invite the customer to send several technical people from
their organization to join our <company_svc_short/> team on a volunteer
basis. Naturally, we extend this invitation to <client_short/> as well.
</p>
<p>Throughout the course of the audit, we intend to actively brainstorm with
<client_short/> about both the <company_svc_short/>
and the process. This is a continuous learning experience for both us and
you. Also, in our experience, a tight feedback loop with the customer
greatly improves both the quality and focus of the engagement.
</p>
</section>
<section>
<title>Reporting</title>
<p>
<company_short/> will report to <client_short/>
on the <company_svc_short/>. This report will include the steps it has
taken during the test and the vulnerabilities it has found. It will
include recommendations but not comprehensive solutions on how to address
these vulnerabilities.
</p>
<p>A sample Pentest report can be found here</p>
<ul>
<li>
<a
href="https://github.com/radicallyopensecurity/templates/blob/master/sample-report/REP_SittingDuck-pentestreport-v10.pdf">
https://github.com/radicallyopensecurity/templates/blob/master/sample-report/REP_SittingDuck-pentestreport-v10.pdf</a>
</li>
</ul>
<p>One of <company_short/>'s core principles is “Teach To Fish”, otherwise
known as “Peek over our Shoulder” (PooS); We strive to structure our
services so they can also serve as teaching or training opportunities for
our customers.
</p>
</section>
</section>

2
xml/source/snippets/offerte/nl/conditions.xml
View File

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Algemene voorwaarden</title>
<!-- snippet --><p><company_short/> zal alleen de <company_svc_short/>
<p><company_short/> zal alleen de <company_svc_short/>
uitvoeren als het de toestemming heeft gekregen van <generate_permission_parties/>
zoals uiteengezet in de penetratietestvrijwaring, bijgevoegd als <b>Annex 2</b>
of verschaft als los document.</p>

5
xml/source/snippets/offerte/nl/engagementtime.xml
View File

@ -1,3 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- snippet --><p>Op basis van de verstrekte informatie verwachten wij dat het uitvoeren van de opdracht <p_duration/> dagen zal duren.
De planning van de opdracht is als volgt:</p>
<p>Op basis van de verstrekte informatie verwachten wij dat het uitvoeren van de
opdracht <p_duration/> dagen zal duren. De planning van de opdracht is als volgt:
</p>

123
xml/source/snippets/offerte/nl/projectoverview.xml
View File

@ -1,58 +1,69 @@
<?xml version="1.0" encoding="UTF-8"?>
<section todo="no">
<title>Projectoverzicht</title><!-- section with an overview of ROS activities -->
<!-- snippet --><p><company_short/> zal <company_svc_long/> uitvoeren voor <client_short/>
op de hieronder beschreven systemen. De diensten zijn bedoeld om inzicht te bieden
in de veiligheid van deze systemen. Om dit te kunnen bewerkstelligen zal <company_short/>
toegang krijgen tot deze systemen, proberen kwetsbaarheden op te sporen en trachten
verdere toegang te krijgen door de gevonden kwetsbaarheden uit te buiten.</p>
<!-- snippet --><p><company_short/> zal de volgende doelwitten testen
(de “<b>Doelwitten</b>”):</p>
<generate_targets/>
<!-- snippet --><p><company_short/> zal testen op de aanwezigheid van de
meest voorkomende kwetsbaarheden, gebruik makend van zowel publiek beschikbare
scanning tools, als door handmatig testen. <company_short/> zal een grondige
<p_duration/>-daagse (<p_mandays/> mandagen), <p_boxtype/> test uitvoeren via internet.</p>
<section todo="yes">
<title>Scope</title>
<p><company_short/> schat de uitvoering van de penetratietest op ... dagen in totaal: </p>
<ul>
<li>... dagen voor het testen van ...;</li>
<li>... dagen voor het testen van ...;</li>
<li>... dagen voor de verificatie van potentiële risico's, opstellen van een Proof of Concept
en het vastleggen van onze bevindingen en aanbevelingen in het rapport.</li>
</ul>
<br/>
<b>Out of scope</b><br/>
<p>De onderliggende netwerkinfrastructuur, ..., ... en eventuele loadbalancing-infrastructuur maken geen deel uit van de scope.
Uitgesloten zijn ook:</p>
<ul>
<li>elke vorm van social engineering;</li>
<li>(D)DoS aanvallen;</li>
<li>...</li>
</ul>
</section>
<!-- snippet --> <!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is possible that in the course of the penetration
testing, <company_short/> might hinder the operations of the Targets or
cause damage to the Targets. <client_short/> gives permission for this, to
the extent that <company_short/> does not act negligently or
recklessly. <client_short/> also warrants it has the authority to give such
permission.</p-->
<!-- snippet --><!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is important to understand the limits of
<company_short/>'s services. <company_short/> does not (and cannot)
give guarantees that something is secure. <company_short/> instead has
an obligation to make reasonable efforts (in Dutch:
<i>inspanningsverplichting</i>”) to perform the agreed services.</p-->
<!--REMOVE commented-out text above if not including Disclaimer-->
</section>
<!-- section with an overview of ROS activities --><title>Projectoverzicht</title>
<p>
<company_short/> zal <company_svc_long/> uitvoeren voor <client_short/>
op de hieronder beschreven systemen. De diensten zijn bedoeld om inzicht te
bieden in de veiligheid van deze systemen. Om dit te kunnen bewerkstelligen
zal <company_short/> toegang krijgen tot deze systemen, proberen kwetsbaarheden
op te sporen en trachten verdere toegang te krijgen door de gevonden
kwetsbaarheden uit te buiten.
</p>
<p>
<company_short/> zal de volgende doelwitten testen (de “<b>Doelwitten</b>”):
</p>
<generate_targets/>
<p>
<company_short/> zal testen op de aanwezigheid van de meest voorkomende
kwetsbaarheden, gebruik makend van zowel publiek beschikbare scanning tools,
als door handmatig testen. <company_short/> zal een grondige <p_duration/>-daagse
(<p_mandays/> mandagen), <p_boxtype/> test uitvoeren via internet.
</p>
<section todo="yes">
<title>Scope</title>
<p>
<company_short/> schat de uitvoering van de penetratietest op ... dagen in totaal:
</p>
<ul>
<li>... dagen voor het testen van ...;</li>
<li>... dagen voor het testen van ...;</li>
<li>... dagen voor de verificatie van potentiële risico's, opstellen van
een Proof of Concept en het vastleggen van onze bevindingen en
aanbevelingen in het rapport.
</li>
</ul>
<p>
<b>Out of scope</b>
</p>
<p>De onderliggende netwerkinfrastructuur, ..., ... en eventuele
loadbalancing-infrastructuur maken geen deel uit van de scope. Uitgesloten
zijn ook:
</p>
<ul>
<li>elke vorm van social engineering;</li>
<li>(D)DoS aanvallen;</li>
<li>...</li>
</ul>
</section>
<!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is possible that in the course of the penetration
testing, <company_short/> might hinder the operations of the Targets or
cause damage to the Targets. <client_short/> gives permission for this, to
the extent that <company_short/> does not act negligently or
recklessly. <client_short/> also warrants it has the authority to give such
permission.</p-->
<!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is important to understand the limits of
<company_short/>'s services. <company_short/> does not (and cannot)
give guarantees that something is secure. <company_short/> instead has
an obligation to make reasonable efforts (in Dutch:
<i>inspanningsverplichting</i>”) to perform the agreed services.</p-->
<!--REMOVE commented-out text above if not including Disclaimer-->
</section>