DeforaNetworks/pentext
DeforaNetworks/pentext
3
0
Fork 0
Code Releases Activity

implemented advanced snippet selection for quotes/offertes, better denomination selection throughout document suite

Browse Source
This commit is contained in:
skyanth 2016-09-08 14:34:42 +02:00
parent 40db16580f
commit a213cb7a84
36 changed files with 367 additions and 4394 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
xml/dtd/invoice.xsd
View File

@ -16,12 +16,13 @@
</xs:sequence>
<xs:attribute name="invoice_no" type="xs:string"/>
<xs:attribute name="date" type="xs:date" use="optional"/>
<xs:attribute name="denomination" use="optional" default="euro">
<xs:attribute name="denomination" use="required">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="euro"/>
<xs:enumeration value="dollar"/>
</xs:restriction>
<xs:enumeration value="eur"/>
<xs:enumeration value="gbp"/>
<xs:enumeration value="usd"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>

7
xml/dtd/offerte.xsd
View File

@ -82,11 +82,12 @@
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:integer">
<xs:attribute name="denomination" use="optional" default="euro">
<xs:attribute name="denomination" use="required">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="euro"/>
<xs:enumeration value="dollar"/>
<xs:enumeration value="eur"/>
<xs:enumeration value="gbp"/>
<xs:enumeration value="usd"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>

79
xml/source/contract.xml
View File

@ -1,79 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<contract xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xsi:noNamespaceSchemaLocation="../dtd/contract.xsd"
xml:lang="en">
<meta>
<xi:include href="snippets/company_info.xml"/>
<scope>
<contract_type>fixed_term</contract_type>
<!-- single_engagement or fixed_term -->
<engagement_description>battle the pirates</engagement_description>
<!-- [NOTE: only needed for SINGLE ENGAGEMENT type contract, value is ignored otherwise] -->
<secondpartyrole>Consultant</secondpartyrole>
<!-- what contractor will be referred to throughout the contract. Can be anything, but should probably be Consultant or Consultancy company. When in doubt, leave as is. -->
</scope>
<contractor sex="M"><!-- (M|F|O) (O for other) --> <!-- this info is used to select the correct pronoun, not for profiling :) -->
<name>Peter Pan</name>
<ctcompany>Lost Boys Inc.</ctcompany>
<!-- delete element in case of freelancer without company -->
<address>Cloud 9</address>
<postal_code>1234 XX</postal_code>
<city>Treehouse City</city>
<country>Neverland</country>
<email>peter@pan.tech</email>
<hourly_fee denomination="eur">50</hourly_fee>
<!-- (eur|gbp|usd) -->
</contractor>
<work>
<activities><!-- add/delete activity elements as necessary -->
<activity>Taunting Captain Hook</activity>
<activity>Feeding crocodiles</activity>
<activity>Flying to and fro ('to' and 'fro' to be specified at takeoff)</activity>
</activities>
<start_date>2016-08-18</start_date>
<end_date>2016-09-15</end_date>
<planning><!-- amount of work to be done between the start and end date -->
<hours>30</hours>
<!-- non-negative integer, used for planned working hours over total engagement (for SINGLE ENGAGEMENT contract) or over each period in <per> (for FIXED TIME contract) -->
<per>month</per>
<!-- (month|week) [NOTE: only used for FIXED TIME contract, value is ignored otherwise] -->
</planning>
</work>
</meta>
<section>
<title>security consulting agreement</title>
<xi:include href="snippets/contract/en/parties.xml"/>
<p>WHEREAS:</p>
<ol type="A">
<xi:include href="snippets/contract/en/wa_contractorcan.xml"/>
<xi:include href="snippets/contract/en/wa_noemploymentintention.xml"/>
</ol>
<!--Agreement section-->
<section>
<title>agree as follows</title>
<ol type="1">
<xi:include href="snippets/contract/en/ag_period.xml"/>
<xi:include href="snippets/contract/en/ag_noemployment.xml"/>
<xi:include href="snippets/contract/en/ag_companyinstructs.xml"/>
<xi:include href="snippets/contract/en/ag_ownrisk.xml"/>
<xi:include href="snippets/contract/en/ag_workinghours.xml"/>
<xi:include href="snippets/contract/en/ag_payment_fixed_term.xml"/>
<xi:include href="snippets/contract/en/ag_biggerscopewarning.xml"/>
<xi:include href="snippets/contract/en/ag_propertyrights.xml"/>
<xi:include href="snippets/contract/en/ag_retainrights.xml"/>
<xi:include href="snippets/contract/en/ag_nondisclosure.xml"/>
<xi:include href="snippets/contract/en/ag_responsibilities.xml"/>
<xi:include href="snippets/contract/en/ag_thirdparty.xml"/>
<xi:include href="snippets/contract/en/ag_liability.xml"/>
<xi:include href="snippets/contract/en/ag_provisions.xml"/>
<xi:include href="snippets/contract/en/ag_generaltermsandconditions.xml"/>
</ol>
</section>
<section>
<title>Signed in duplicate on August 18, 2016 in</title>
<generate_contract_signature_box/>
</section>
</section>
</contract>

1502
xml/source/document.xml
View File

File diff suppressed because it is too large Load Diff

20
xml/source/invoice.xml
View File

@ -1,20 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<invoice xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:fo="http://www.w3.org/1999/XSL/Format"
xsi:noNamespaceSchemaLocation="../dtd/invoice.xsd"
date="2016-08-25"
invoice_no="00/000"
denomination="euro">
<meta>
<xi:include href="snippets/company_info.xml"/>
<xi:include href="client_info.xml"/>
</meta>
<servicesdelivered>
<service>
<description>6-day penetration test Sitting Duck</description>
<fee>100</fee>
</service>
</servicesdelivered>
</invoice>

73
xml/source/offerte.xml
View File

@ -1,73 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<offerte xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:fo="http://www.w3.org/1999/XSL/Format"
xsi:noNamespaceSchemaLocation="../dtd/offerte.xsd"
xml:lang="en"><!--document meta information; to be filled in by the offerte writer-->
<meta>
<offered_service_long>penetration testing services</offered_service_long>
<!--if there is a shorter way of saying the same thing, you can type it here (it makes for more dynamic offerte text). If not, just repeat the long name.-->
<offered_service_short>penetration test</offered_service_short>
<xi:include href="snippets/company_info.xml"/>
<targets><!--one target element per target-->
<target>dsfsd</target>
<target>adfsd</target>
</targets>
<permission_parties>
<xi:include href="client_info.xml"/>
<party>
<full_name>dafaf</full_name>
<short_name>dad</short_name>
<!-- Name of the person who will need to sign the waiver for this vendor -->
<waiver_rep>sgf</waiver_rep>
<address>fsgf</address>
<city>sgf</city>
<country>sfgsfg</country>
</party>
</permission_parties>
<pentestinfo>
<duration>6</duration>
<!--duration of pentest, in working days-->
<test_planning>TBD</test_planning>
<!--date or date range in text, e.g. May 18th until May 25th, 2015-->
<report_due>TBD</report_due>
<!--date or date range in text, e.g. May 18th until May 25th, 2015-->
<nature>time-boxed</nature>
<type>crystal-box</type>
<!--please choose one of the following: black-box, grey-box, crystal-box-->
<fee denomination="euro">100</fee>
<!--(euro|dollar)-->
</pentestinfo>
<version_history><!--needed for date on frontpage and in signature boxes; it is possible to add a new <version> after each review; in that case, make sure to update the date/time-->
<version number="auto" date="2016-08-25T10:00:00"><!--actual date-time here; you can leave the number attribute alone-->
<v_author>ROS Writer</v_author>
<!--name of the author here; for internal use only-->
<v_description>Initial draft</v_description>
<!--for internal use only-->
</version>
</version_history>
</meta>
<!--Introduction and Scope-->
<xi:include href="snippets/offerte/en/introandscope.xml"/>
<!--Project overview section-->
<xi:include href="snippets/offerte/en/projectoverview.xml"/>
<!--Prerequisites section-->
<xi:include href="snippets/offerte/en/prerequisites.xml"/>
<!--Disclaimer section-->
<xi:include href="snippets/offerte/en/disclaimer.xml"/>
<!--Methodology section-->
<xi:include href="snippets/offerte/en/methodology.xml"/>
<xi:include href="snippets/offerte/en/codeauditmethodology.xml"/>
<xi:include href="snippets/offerte/en/teamandreporting.xml"/>
<!--Planning and payment section-->
<xi:include href="snippets/offerte/en/planningandpayment.xml"/>
<!--About Us section-->
<xi:include href="snippets/offerte/en/aboutus.xml"/>
<!--Work condition section-->
<xi:include href="snippets/offerte/en/conditions.xml"/>
<!--General terms and conditions section-->
<xi:include href="snippets/offerte/en/generaltermsandconditions.xml"/>
<!--Waivers-->
<xi:include href="snippets/offerte/en/waiver.xml"/>
</offerte>

6
xml/source/quickscope.xml
View File

@ -5,18 +5,18 @@
<!-- Today's date -->
<version date="2015-01-01"/>
<!-- YYYY-MM-DD -->
<!-- COMPANY INFO -->
<!-- CLIENT INFO -->
<xi:include href="client_info.xml"/>
<!-- SERVICE INFO -->
<meta>
<!-- Language the offer should be in (en|nl) -->
<offer_language>en</offer_language>
<!-- Offer type (pentest|basic-scan|load-test|other) -->
<!-- Offer type (pentest|basic-scan|load-test|code-audit|other) -->
<offer_type>pentest</offer_type>
<!-- Required service -->
<!-- Note: is only used when type is 'other', if offer_type is a specific type, service name will be taken from the localisation strings -->
<requested_service>penetration testing services</requested_service>
<requested_service></requested_service>
<!-- Which targets will need to be tested?
(one <target> element for each piece of software/service/server address/location...), delete/add as necessary -->
<targets>

58
xml/source/quickscope_sample.xml
View File

@ -1,58 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<quickscope xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xml="http://www.w3.org/XML/1998/namespace">
<!-- Today's date -->
<version date="2015-01-01"/>
<!-- YYYY-MM-DD -->
<!-- COMPANY INFO -->
<xi:include href="client_info.xml"/>
<!-- SERVICE INFO -->
<meta>
<!-- Language the offer should be in (en|nl) -->
<offer_language>en</offer_language>
<!-- Offer type (pentest|basic-scan|load-test|other) -->
<offer_type>pentest</offer_type>
<!-- Required service -->
<!-- Note: is only used when type is 'other', if offer_type is a specific type, service name will be taken from the localisation strings -->
<requested_service>penetration testing services</requested_service>
<!-- Which targets will need to be tested?
(one <target> element for each piece of software/service/server address/location...), delete/add as necessary -->
<targets>
<target>dsfsd</target>
<target>adfsd</target>
</targets>
</meta>
<!-- Some information about any third parties involved with the software/service to be tested, if applicable.
If not applicable, delete the whole <third_party> element. If more parties are needed, add <third_party> elements -->
<third_party>
<full_name>dafaf</full_name>
<short_name>dad</short_name>
<!-- Name of the person who will need to sign the waiver for this vendor -->
<waiver_rep>sgf</waiver_rep>
<address>fsgf</address>
<city>sgf</city>
<country>sfgsfg</country>
</third_party>
<pentest_info>
<!-- How long would you like the test to be? (in days) -->
<days>6</days>
<!-- Service execution (Use one of the following values: time-boxed, subscription) -->
<nature>time-boxed</nature>
<!-- Testing type (Use one of the following values: crystal-box, black-box, grey-box) -->
<type>crystal-box</type>
<!-- Test planning (when would you like the test to be executed -->
<!-- Ideally something specific like 'December 7th - December 12th, 2015', but another description 'Beginning of December' is fine as well -->
<!-- do not start with a capital letter -->
<planning>TBD</planning>
<!-- Pentest report delivery date (please allow at least 1 week between the end of the pentest and the report delivery date) -->
<delivery>TBD</delivery>
<!-- Do you need/want a code audit? (possible values: yes/no), only for pentest -->
<codeaudit perform="yes"/>
<!-- rate (to be filled in by ROS ;) -->
<rate>100</rate>
</pentest_info>
</quickscope>

18
xml/source/snippets/localisationstrings.xml
View File

@ -23,10 +23,26 @@
<translation xml:lang="nl">basis-securityscandiensten</translation>
<translation xml:lang="en">basic security scan services</translation>
</string>
<string id="coverpage_service_basic-scan">
<string id="coverpage_service_basic-scan_short">
<translation xml:lang="nl">basis-securityscan</translation>
<translation xml:lang="en">basic scan</translation>
</string>
<string id="coverpage_service_code-audit">
<translation xml:lang="nl">code-auditing-diensten</translation>
<translation xml:lang="en">code auditing services</translation>
</string>
<string id="coverpage_service_code-audit_short">
<translation xml:lang="nl">code audit</translation>
<translation xml:lang="en">code audit</translation>
</string>
<string id="coverpage_service_load-test">
<translation xml:lang="nl">loadtest-diensten</translation>
<translation xml:lang="en">load testing services</translation>
</string>
<string id="coverpage_service_load-test_short">
<translation xml:lang="nl">load test</translation>
<translation xml:lang="en">load test</translation>
</string>
<string id="coverpage_for">
<translation xml:lang="nl">VOOR</translation>
<translation xml:lang="en">FOR</translation>

2
xml/source/snippets/offerte/en/aboutus.xml
View File

@ -24,7 +24,7 @@
intelligence agencies, or anything of the sort. If a job is even remotely
morally questionable, we simply won't do it.</li>
<li><b>Open-Source</b><br/>
Releasing ALL tools and frameworks, we build as open-source on our website.</li>
Releasing ALL tools and frameworks we build as open source.</li>
<li><b>Teach to fish</b><br/>
During engagements, we will not only share our results with your company,
but also provide a step-by-step description of how to perform the same

49
xml/source/snippets/offerte/en/additional-code-audit_methodology.xml Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Code Audit</title>
<p>
<company_short/> will perform a code audit to aid pentesting. During a
code audit, we manually examine the code of an application to ensure there
are no security vulnerabilities and use our understanding of the code to
guide our pentesting. If vulnerabilities are found, we document those and
suggest ways to fix them. This is done by highly-trained penetration testers
who can both review the raw code as well as interpret the findings of the
automated scans, putting them into context.
</p>
<p>
During the code audit portion of penetration tests, we take the following
criteria into account:
</p>
<ol>
<li>Risk Assessment and "Threat Modeling"<br/>
In this step, we analyze the risks of a particular application or system.
Threat Modeling is a specific, structured approach to risk analysis that
enables us to identify, qualify, and address the security risks, thus
dovetailing with the Code Review process. For example, user data is
sacred. We focus on encrypted storage, discover if <client_short/> employees
have a backdoor into data, and cut loose stolen devices by wiping them
remotely and revoking accounts.
</li>
<li>Purpose and Context<br/>
Here we focus on risks, especially in the quick and easy sharing of
internal documents and itineraries. Account details aren't so secret
when we know who will be in meetings, but what's being discussed is secret.
</li>
<li>Complexity<br/>
The complexity of the system is in the frameworks that support the web
application. We'd ignore those and focus only on the custom code and
backend code. We would also
focus on implementation mistakes and known flaws in the systems. For
example, we'd ensure you're using the latest versions of software,
but we wouldn't delve into the framework itself. Since we assume the
code is written by a team, it should be clearly-written code. If you have
several full-release versions, there will undoubtedly be several revisions
and audits on that code.
</li>
</ol>
<p>
For more information, please refer to this link:
<a href="https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents">
https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents</a>
</p>
</section>

40
xml/source/snippets/offerte/en/codeauditmethodology.xml
View File

@ -1,40 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Code Audit</title>
<p><company_short/> will perform a code audit to aid pentesting. During a
code audit, we manually examine the code of an application to ensure there
are no security vulnerabilities and use our understanding of the code to
guide our pentesting. If vulnerabilities are found, we document those and
suggest ways to fix them. This is done by highly-trained penetration testers
who can both review the raw code as well as interpret the findings of the
automated scans, putting them into context.</p>
<p>During the code audit portion of penetration tests, we take the following
criteria into account:</p>
<ol>
<li>Risk Assessment and "Threat Modeling"<br/>
In this step, we analyze the risks of a particular application or system.
Threat Modeling is a specific, structured approach to risk analysis that
enables us to identify, qualify, and address the security risks, thus
dovetailing with the Code Review process. For example, user data is
sacred. We focus on encrypted storage, discover if <client_short/> employees
have a backdoor into data, and cut loose stolen devices by wiping them
remotely and revoking accounts.</li>
<li>Purpose and Context<br/>
Here we focus on risks, especially in the quick and easy sharing of
internal documents and itineraries. Account details aren't so secret
when we know who will be in meetings, but what's being discussed is secret.</li>
<li>Complexity<br/>
The complexity of the system is in the frameworks that support the web
application. We'd ignore those and focus only on the custom code and
backend code. We would also
focus on implementation mistakes and known flaws in the systems. For
example, we'd ensure you're using the latest versions of software,
but we wouldn't delve into the framework itself. Since we assume the
code is written by a team, it should be clearly-written code. If you have
several full-release versions, there will undoubtedly be several revisions
and audits on that code.</li>
</ol>
<p>For more information, please refer to this link:
<a href="https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents">https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents</a></p>
</section>

27
xml/source/snippets/offerte/en/conditions_code-audit.xml Normal file
View File

@ -0,0 +1,27 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Terms and Conditions</title>
<p>
<company_short/> will only perform the <company_svc_short/>
if it has obtained the permission from <generate_permission_parties/>
as set out in the waiver, attached as <b>Annex 2</b>,
or provided in a separate document.
</p>
<p>
<company_short/> performs this assignment on the basis of its general
terms and conditions, which are attached to this offer as Annex 1.
<company_short/> rejects any general terms and conditions used by
<client_short/>.
</p>
<p>
In order to agree to this offer, please sign this letter in duplicate
and return it to:
</p>
<contact>
<name><company_legal_rep/></name>
<address><company_long/><br/>Overdiemerweg 28<br/>1111 PP Diemen</address>
<email>melanie@radicallyopensecurity.com</email>
</contact>
<generate_offer_signature_box/>
</section>

22
xml/source/snippets/offerte/en/disclaimer_code-audit.xml Normal file
View File

@ -0,0 +1,22 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Disclaimer</title>
<p>
It is important to understand the limits of <company_short/>'s services.
<company_short/> does not (and cannot) give guarantees that something is
secure. <company_short/>, instead, has an obligation to make reasonable
efforts (in Dutch: “<i>inspanningsverplichting</i>”) to perform the
agreed services.
</p>
<p>
<company_short/> and <client_short/> agree to take reasonable measures to
maintain the confidentiality of information and any personal data they gain
access to in the course of performing the code audit. Both parties will use the
information and data they receive or access only for the purposes outlined
in this agreement.
<company_short/> warrants that all core-team members, external freelancers,
and volunteers it engages to perform the code audit have signed a
non-disclosure agreement (NDA).
</p>
</section>

45
xml/source/snippets/offerte/en/methodology_code-audit.xml Normal file
View File

@ -0,0 +1,45 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Code Audit</title>
<p>
<company_short/> will perform a code audit. During this process we will verify if the proper
security controls are present, work as intended and are implemented correctly.
If vulnerabilities are found, we determine the threat level by assessing the
likelihood of exploitation of this vulnerability and the impact on the
Confidentiality, Integrity and Availability (CIA) of the system. We will describe how an
attacker would exploit the vulnerability and suggest ways of fixing it.<br/>
This requires an extensive knowledge of the platform the application is running on, as well
as the extensive knowledge of the language the application in written
in and patterns that have been used. Therefore a code audit done by highly-trained
specialists with a strong background in programming.
</p>
<p>
During the code audit, we take the following approach:
</p>
<ol>
<li>Thorough comprehension of functionality<br/>
We try to get a thorough comprehension of how the application works and how
it interacts with the user and other systems. Having detailed documentation
(manuals, flow charts, system sequence diagrams, design documentation) at
this stage is very helpful, as they aid the understanding of the application
</li>
<li>Static analysis<br/>
Using the understanding we gained in the previous step, we will use static code
analysis to uncover any vulnerabilities. Static analysis means the specialist will
analyze the code and implementation of security controls to get an understanding of
the security of the application, rather than running the application to reach the same
goal. This is primarily a manual process, where the specialist relies on his knowledge and expertise
to find the flaws in the application. The specialist may be aided in this process by
automatic analysis tools, but his or her skills are the driving force.<br/>
Depending on the type of application, we will identify the endpoints. In this case, it means
where data enters and leaves the application. The data is then followed through the application
and is leading in determining if assessing the quality of the security measures.
</li>
<li>Dynamic analysis<br/>
Dynamic analysis can also be performed. In this case, the program
is run and actively exploited by the specialist. This is usually done to confirm
a vulnerability and as such follows the result of the static analysis.
</li>
</ol>
</section>

0
xml/source/snippets/offerte/en/methodology_loadtest.xml → xml/source/snippets/offerte/en/methodology_load-test.xml
View File

113
xml/source/snippets/snippetselection.xml
View File

@ -1,15 +1,118 @@
<?xml version="1.0" encoding="UTF-8"?>
<snippet_selection>
<!-- QUOTES -->
<!-- [NOTE: when creating a new offerte subtype, please make sure you have at least one snippet_group with @set="group1"] -->
<document type="offerte">
<selection subtype="pentest">
<snippet>introandscope</snippet>
<snippet>projectoverview</snippet>
<snippet_group set="group1">
<snippet>introandscope</snippet>
<snippet>projectoverview</snippet>
<snippet>prerequisites</snippet>
<snippet>disclaimer</snippet>
<snippet>methodology</snippet>
</snippet_group>
<snippet_group set="additionalcodeaudit">
<!-- isolated since it is subject to logic (unlike some people) -->
<snippet>additional-code-audit_methodology</snippet>
</snippet_group>
<snippet_group set="group2">
<snippet>teamandreporting</snippet>
<snippet>planningandpayment</snippet>
<snippet>aboutus</snippet>
<snippet>conditions</snippet>
<snippet>generaltermsandconditions</snippet>
<snippet>waiver</snippet>
</snippet_group>
</selection>
<selection subtype="basic-scan">
<snippet>introandscope</snippet>
<snippet>projectoverview</snippet>
<snippet_group set="group1">
<snippet>introandscope</snippet>
<snippet>projectoverview</snippet>
<snippet>prerequisites</snippet>
<snippet>disclaimer</snippet>
<snippet>methodology</snippet>
</snippet_group>
<snippet_group set="additionalcodeaudit">
<!-- isolated since it is subject to logic -->
<snippet>additional-code-audit_methodology</snippet>
</snippet_group>
<snippet_group set="group2">
<snippet>teamandreporting</snippet>
<snippet>planningandpayment</snippet>
<snippet>aboutus</snippet>
<snippet>conditions</snippet>
<snippet>generaltermsandconditions</snippet>
<snippet>waiver</snippet>
</snippet_group>
</selection>
<selection subtype="load-test">
<snippet_group set="group1">
<snippet>introandscope</snippet>
<snippet>projectoverview</snippet>
<snippet>prerequisites</snippet>
<snippet>disclaimer</snippet>
<snippet>methodology_load-test</snippet>
</snippet_group>
<snippet_group set="additionalcodeaudit">
<!-- isolated since it is subject to logic -->
<snippet>additional-code-audit_methodology</snippet>
</snippet_group>
<snippet_group set="group2">
<snippet>teamandreporting</snippet>
<snippet>planningandpayment</snippet>
<snippet>aboutus</snippet>
<snippet>conditions</snippet>
<snippet>generaltermsandconditions</snippet>
<snippet>waiver</snippet>
</snippet_group>
</selection>
<selection subtype="code-audit">
<!-- no additional code audit presumed :) -->
<snippet_group set="group1">
<snippet>introandscope</snippet>
<snippet>projectoverview</snippet>
<snippet>prerequisites</snippet>
<snippet>disclaimer_code-audit</snippet>
<snippet>methodology_code-audit</snippet>
<snippet>teamandreporting</snippet>
<snippet>planningandpayment</snippet>
<snippet>aboutus</snippet>
<snippet>conditions_code-audit</snippet>
<snippet>generaltermsandconditions</snippet>
<snippet>waiver</snippet>
</snippet_group>
</selection>
<selection subtype="other">
<!-- standard -->
<snippet_group set="group1">
<snippet>introandscope</snippet>
<snippet>projectoverview</snippet>
<snippet>prerequisites</snippet>
<snippet>disclaimer</snippet>
<snippet>methodology</snippet>
</snippet_group>
<snippet_group set="additionalcodeaudit">
<!-- isolated since it is subject to logic -->
<snippet>additional-code-audit_methodology</snippet>
</snippet_group>
<snippet_group set="group2">
<snippet>teamandreporting</snippet>
<snippet>planningandpayment</snippet>
<snippet>aboutus</snippet>
<snippet>conditions</snippet>
<snippet>generaltermsandconditions</snippet>
<snippet>waiver</snippet>
</snippet_group>
</selection>
</document>
<!-- CONTRACTS -->
<!-- [NOTE: when creating a new contract subtype, please make sure you have at least one snippet_group with @set="agree1"] -->
<document type="contract">
<selection subtype="single_engagement">
<snippet_group set="parties">
@ -23,7 +126,7 @@
<snippet>wa_contractorcan</snippet>
<snippet>wa_noemploymentintention</snippet>
</snippet_group>
<snippet_group set="agree">
<snippet_group set="agree1">
<!-- define agreement -->
<snippet>ag_noemployment</snippet>
<snippet>ag_companyinstructs</snippet>

466
xml/target/contract.fo
View File

@ -1,466 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<fo:root xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:fo="http://www.w3.org/1999/XSL/Format">
<fo:layout-master-set>
<fo:simple-page-master margin-top="0.5cm" margin-bottom="1.5cm" margin-left="1.5cm"
margin-right="1.5cm" page-height="29.7cm" page-width="21.0cm" master-name="Cover">
<fo:region-body margin-top="3.6cm" margin-bottom="1cm" region-name="region-body"/>
<fo:region-before precedence="true" extent="2.7cm" region-name="region-before-cover"/>
<fo:region-after precedence="true" extent="0.6cm" padding="0"
region-name="region-after-cover"/>
</fo:simple-page-master>
<fo:simple-page-master margin-top="0.5cm" margin-bottom="1.5cm" margin-left="1.5cm"
margin-right="1.5cm" page-height="29.7cm" page-width="21.0cm" master-name="Content">
<fo:region-body margin-top="2cm" margin-bottom="1cm" region-name="region-body"/>
<fo:region-before precedence="true" extent="0.6cm" region-name="region-before-content"/>
<fo:region-after precedence="true" extent="0.6cm" padding="0"
region-name="region-after-content"/>
</fo:simple-page-master>
<fo:page-sequence-master master-name="Report">
<fo:repeatable-page-master-alternatives>
<fo:conditional-page-master-reference master-reference="Cover"
blank-or-not-blank="not-blank" page-position="first"/>
<fo:conditional-page-master-reference master-reference="Content"
blank-or-not-blank="not-blank"/>
</fo:repeatable-page-master-alternatives>
</fo:page-sequence-master>
</fo:layout-master-set>
<fo:page-sequence master-reference="Report">
<fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black"
flow-name="region-before-cover">
<fo:block><fo:table width="100%" table-layout="fixed">
<fo:table-column column-width="proportional-column-width(40)"/>
<fo:table-column column-width="proportional-column-width(20)"/>
<fo:table-column column-width="proportional-column-width(40)"/>
<fo:table-body>
<fo:table-row>
<fo:table-cell text-align="right" display-align="after" padding-bottom="5mm">
<fo:block font-family="LiberationSansNarrow" font-size="8pt" color="black"
><fo:block font-weight="bold" color="#FF5C00">Radically Open Security
B.V.</fo:block><fo:block>Overdiemerweg 28</fo:block><fo:block>1111
PP Diemen</fo:block><fo:block>The Netherlands</fo:block></fo:block>
</fo:table-cell>
<fo:table-cell text-align="center">
<fo:block><fo:external-graphic padding-top="0cm" padding-bottom="0cm"
src="url(../graphics/logo_alt.png)" width="30mm"
content-width="scale-to-fit" content-height="scale-to-fit"
scaling="uniform"/></fo:block>
</fo:table-cell>
<fo:table-cell display-align="after" padding-bottom="5mm">
<fo:block font-family="LiberationSansNarrow" font-size="8pt" color="black"
><fo:block font-weight="bold" color="#FF5C00"
>www.radicallyopensecurity.com</fo:block><fo:block>info@radicallyopensecurity.com</fo:block><fo:block>Chamber
of Commerce 60628081</fo:block><fo:block>VAT number
853989655B01</fo:block></fo:block>
</fo:table-cell>
</fo:table-row>
</fo:table-body>
</fo:table></fo:block>
</fo:static-content>
<fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black"
flow-name="region-before-content">
<fo:block text-align="right" font-weight="normal"/>
</fo:static-content>
<fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black"
flow-name="region-after-cover">
<fo:block text-align-last="justify" text-align="center"
><fo:page-number/>/<fo:page-number-citation ref-id="EndOfDoc"/><fo:leader
leader-pattern="space"/><fo:inline font-family="LiberationSansNarrow" font-size="8pt"
color="black">Radically Open Security B.V. - Chamber of Commerce
60628081</fo:inline></fo:block>
</fo:static-content>
<fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black"
flow-name="region-after-content">
<fo:block text-align-last="justify" text-align="center"
><fo:page-number/>/<fo:page-number-citation ref-id="EndOfDoc"/><fo:leader
leader-pattern="space"/><fo:inline font-family="LiberationSansNarrow" font-size="8pt"
color="black">Radically Open Security B.V. - Chamber of Commerce
60628081</fo:inline></fo:block>
</fo:static-content>
<fo:flow font-family="LiberationSansNarrow" font-size="12pt" color="black"
flow-name="region-body">
<fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white"
font-weight="bold" text-transform="uppercase" font-size="18pt" margin-bottom="1cm"
background-color="#FF5C00">SECURITY CONSULTING AGREEMENT</fo:block>
<fo:block><fo:block margin-bottom="10pt" line-height="18pt"><fo:inline
text-decoration="underline"><fo:inline font-weight="bold">Radically Open
Security B.V.</fo:inline></fo:inline>, located at Overdiemerweg 28, 1111
PP, Diemen, represented by Melanie Rieback (“<fo:inline font-weight="bold"
>ROS</fo:inline>”);</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">AND</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline
text-decoration="underline"><fo:inline font-weight="bold">Peter Pan (Lost
Boys Inc.)</fo:inline></fo:inline>, with his address at Cloud 9, 1234 XX,
Treehouse City, Neverland (the “<fo:inline font-weight="bold"
>Consultant</fo:inline>”);</fo:block></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">WHEREAS:</fo:block>
<fo:list-block provisional-distance-between-starts="0.75cm"
provisional-label-separation="2.5mm" margin-bottom="1.5cm" space-after="12pt"
start-indent="1cm">
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>A. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>The Consultant is willing and able to perform the activities
mentioned hereafter.</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>B. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>ROS and the Consultant have no intention whatsoever to agree upon
an employment agreement and this agreement is only drafted to enable the
Consultant to perform incidental activities for ROS. ROS and the
Consultant explicitly confirm that this agreement does not qualify as an
employment agreement. The Consultant is free to perform work for other
parties, and in fact does so on a regular basis.</fo:block>
</fo:list-item-body>
</fo:list-item>
</fo:list-block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white"
font-weight="bold" text-transform="uppercase" font-style="italic"
font-size="14pt" margin-bottom="0.8cm" background-color="#999999">AGREE AS
FOLLOWS</fo:block>
<fo:list-block provisional-distance-between-starts="0.75cm"
provisional-label-separation="2.5mm" margin-bottom="1.5cm" space-after="12pt"
start-indent="1cm">
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>1. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block><fo:block margin-bottom="5pt">This contract shall be effective
as of August 18, 2016 for the period of 28 days. This contract will
end by operation of law on September 15, 2016 without any notice
being required.</fo:block>
<fo:block margin-bottom="5pt">In case of tacit extension of this
contract, the parties agree to do so for the same term and on the
same conditions. Either party is entitled to give notice of
termination of the contract with immediate effect. Notice of
termination should be given by email. (To ROS:
info@radicallyopensecurity.com; to the Consultant: peter@pan.tech)
The other party will confirm the termination by return.</fo:block>
<fo:block margin-bottom="5pt">Premature termination shall not give
rise to liability or financial compensation for either
party.</fo:block></fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>2. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>ROS and the Consultant explicitly do not intend to enter into
an employment agreement (in Dutch: “<fo:inline font-style="italic"
>arbeidsovereenkomst</fo:inline>”) as in Article 7:610 Burgerlijk
Wetboek. The Consultant guarantees he shall never claim an employment
agreement exists. </fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>3. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>ROS instructs (in Dutch: "<fo:inline font-style="italic">wijst
aan</fo:inline>"; not "<fo:inline font-style="italic"
>instrueert</fo:inline>") the Consultant and the Consultant
agrees to perform the following activities (the “<fo:inline
font-weight="bold">Activities</fo:inline>”): <fo:list-block
xmlns:my="http://radical.sexy" margin-bottom="10pt"
line-height="18pt">
<fo:list-item>
<fo:list-item-label end-indent="label-end()">
<fo:block><fo:inline>•</fo:inline></fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>Taunting Captain Hook</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item>
<fo:list-item-label end-indent="label-end()">
<fo:block><fo:inline>•</fo:inline></fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>Feeding crocodiles</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item>
<fo:list-item-label end-indent="label-end()">
<fo:block><fo:inline>•</fo:inline></fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>Flying to and fro ('to' and 'fro' to be specified
at takeoff)</fo:block>
</fo:list-item-body>
</fo:list-item>
</fo:list-block></fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>4. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>The Consultant is working at his or her own risk (in Dutch:
“<fo:inline font-style="italic">voor eigen rekening en
risico</fo:inline>”). The Consultant is free to perform the
Activities at his or her own discretion (in Dutch: “<fo:inline
font-style="italic">naar eigen inzicht</fo:inline>”) and
independently. The Consultant will use his own resources and tools to
perform the Activities for ROS.</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>5. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>The agreed working hours shall amount to 30 hours per month.
The Consultant may be expected to perform overtime outside the
established working hours whenever this is necessary for the proper
performance of the Activites.</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>6. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block><fo:block margin-bottom="5pt">ROS will pay the Consultant € 50
per hour excluding VAT. It will do so after ROS has received an
invoice from the Consultant. The Consultant will send an invoice
within 14 days after the end of each calendar month for the
Activities performed during that month.</fo:block>
<fo:block margin-bottom="5pt">ROS will then pay the agreed amount
within 30 days of receipt of the invoice. ROS will also pay
reasonable travel expenses of the Consultant, to the extent that
ROS has given prior written approval for such costs and the
Consultant provides ROS with an invoice or other documentation for
these expenses. ROS will not reimburse any other costs the
Consultant incurs in the course of the Activities, unless ROS has
given prior written approval for such costs. For the avoidance of
doubt, ROS shall pay no wages (in Dutch: "<fo:inline
font-style="italic">salaris</fo:inline>") to the Consultant and
therefore, ROS shall not provide payslips to the Consultant, nor
pay to the Consultant any money or allowance in the event of a
holiday or illness of the Consultant.</fo:block></fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>7. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>If during the course of the Activities, there is a risk that
the scope of the assignment is bigger than expected, the Consultant
will let ROS know without delay.</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>8. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>The Consultant transfers to ROS all intellectual property
rights created as a result of the Activities. To the extent that it is
not possible to transfer these rights, he grants to ROS a perpetual,
exclusive transferable, sub-licensable, world-wide license to such
rights, and agrees to co-operate with the transfer of these rights to
ROS. To the extent that the Consultant has transferred these rights to
ROS, ROS grants a perpetual, non-exclusive, non-transferable,
not-sub-licensable, world-wide license to such rights to the
Consultant, unless ROS considers this impossible, due to obligations
ROS might have vis-à-vis others. In that case, ROS will explore
whether it is possible to grant to the Consultant a license on the
rights with a narrower scope. For the avoidance of doubt, any rights
of the Consultant vested in software or services developed prior to
the Activities are not affected by this agreement.</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>9. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>The Consultant retains all intellectual property rights he owns
prior to this agreement.</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>10. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>The Consultant will not disclose confidential information and
personal data he receives from ROS, or gains access to in the course
of the Activities. The Consultant will only use this information or
data for the purposes of carrying out this agreement. The Consultant
will take reasonable measures to maintain the confidentiality of this
information and data. The Consultant may disclose this information and
data on a need-to-know basis, and only to persons associated with ROS
as employee, freelancer or volunteer and only if the Consultant knows
that they are bound by the same confidentiality
obligations.</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>11. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>The Consultant is responsible: <fo:list-block
provisional-distance-between-starts="0.75cm"
provisional-label-separation="2.5mm" space-after="0pt"
start-indent="2.25cm">
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>•</fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>for ensuring that any work performed in the course
of this agreement is lawful (in Dutch: “<fo:inline
font-style="italic">rechtmatig</fo:inline>”) and not
illegal (in Dutch: “<fo:inline font-style="italic">niet
strafbaar</fo:inline>”);</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>•</fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>for ensuring that by performing the Activities, he
does not act contrary to a non-compete- or a
confidentiality obligation he may have. If there is a risk
that the Consultant will act contrary to such an
obligation, he will inform ROS without delay. ROS then has
the right to terminate the agreement without
compensation;</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>•</fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>and for paying any applicable taxes and social
security premiums following from the Activities. Should
ROS have to pay any of these, the Consultant will
indemnify ROS.</fo:block>
</fo:list-item-body>
</fo:list-item>
</fo:list-block></fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>12. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>Should a third party lodge a claim against ROS or any of its
employees, freelancers or volunteers, or the public prosecutor
initiate an investigation or criminal proceedings against any of these
parties, as a result of activities performed by the Consultant under
this agreement, then the Consultant will co-operate fully with ROS in
defending against this claim, investigation or these proceedings,
including by providing any evidence he or she has which may be
relevant to this defense.</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>13. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>Unless a result of gross negligence or willful misconduct, the
liability of either party to the other for any type of damages is
limited to the amount of Consultant's total fees under Article 5 of
this agreement.</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>14. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>If any of the provisions of this agreement is annulled or void,
the other provisions remain in effect. To the extent possible, the
annulled or void provision will be replaced by a similar provision
that has the same effect.</fo:block>
</fo:list-item-body>
</fo:list-item>
<fo:list-item margin-bottom="5pt">
<fo:list-item-label end-indent="label-end()">
<fo:block>15. </fo:block>
</fo:list-item-label>
<fo:list-item-body start-indent="body-start()">
<fo:block>The general terms and conditions of ROS apply to this
agreement. ROS rejects any general terms and conditions used by the
Consultant.</fo:block>
</fo:list-item-body>
</fo:list-item>
</fo:list-block>
</fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white"
font-weight="bold" text-transform="uppercase" font-style="italic"
font-size="14pt" margin-bottom="0.8cm" background-color="#999999">SIGNED IN
DUPLICATE ON AUGUST 18, 2016 IN</fo:block>
<fo:block margin-top="1.5cm" keep-together.within-page="always"
><fo:block><fo:table border-width="1pt" border-style="solid"
border-color="black" width="100%" table-layout="fixed">
<fo:table-column border-width="1pt" border-style="solid"
border-color="black" column-width="proportional-column-width(50)"/>
<fo:table-column border-width="1pt" border-style="solid"
border-color="black" column-width="proportional-column-width(50)"/>
<fo:table-body>
<fo:table-row>
<fo:table-cell padding="2pt">
<fo:block>Treehouse City</fo:block>
</fo:table-cell>
<fo:table-cell padding="2pt">
<fo:block>Diemen</fo:block>
</fo:table-cell>
</fo:table-row>
<fo:table-row>
<fo:table-cell padding="2pt">
<fo:block> </fo:block>
<fo:block> </fo:block>
</fo:table-cell>
<fo:table-cell padding="2pt">
<fo:block> </fo:block>
<fo:block> </fo:block>
</fo:table-cell>
</fo:table-row>
<fo:table-row>
<fo:table-cell padding="2pt">
<fo:block>Peter Pan</fo:block>
</fo:table-cell>
<fo:table-cell padding="2pt">
<fo:block>Melanie Rieback</fo:block>
</fo:table-cell>
</fo:table-row>
<fo:table-row>
<fo:table-cell padding="2pt">
<fo:block font-weight="bold">Lost Boys Inc.</fo:block>
</fo:table-cell>
<fo:table-cell padding="2pt">
<fo:block font-weight="bold">Radically Open Security
B.V.</fo:block>
</fo:table-cell>
</fo:table-row>
</fo:table-body>
</fo:table></fo:block></fo:block>
</fo:block>
</fo:block>
</fo:block>
<fo:block id="EndOfDoc"/>
</fo:flow>
</fo:page-sequence>
</fo:root>

BIN
xml/target/contract.pdf
View File

Binary file not shown.

1002
xml/target/document.fo
View File

File diff suppressed because one or more lines are too long

BIN
xml/target/document.pdf
View File

Binary file not shown.

146
xml/target/intermediate.fo
View File

File diff suppressed because one or more lines are too long

181
xml/target/invoice.fo
View File

@ -1,181 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<fo:root xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:fo="http://www.w3.org/1999/XSL/Format">
<fo:layout-master-set>
<fo:simple-page-master margin-top="0.5cm"
margin-bottom="1.5cm"
margin-left="1.5cm"
margin-right="1.5cm"
page-height="29.7cm"
page-width="21.0cm"
master-name="Cover">
<fo:region-body margin-top="3.6cm" margin-bottom="1cm" region-name="region-body"/>
<fo:region-before precedence="true" extent="2.7cm" region-name="region-before-cover"/>
<fo:region-after precedence="true"
extent="0.6cm"
padding="0"
region-name="region-after-cover"/>
</fo:simple-page-master>
<fo:simple-page-master margin-top="0.5cm"
margin-bottom="1.5cm"
margin-left="1.5cm"
margin-right="1.5cm"
page-height="29.7cm"
page-width="21.0cm"
master-name="Content">
<fo:region-body margin-top="2cm" margin-bottom="1cm" region-name="region-body"/>
<fo:region-before precedence="true"
extent="0.6cm"
region-name="region-before-content"/>
<fo:region-after precedence="true"
extent="0.6cm"
padding="0"
region-name="region-after-content"/>
</fo:simple-page-master>
<fo:page-sequence-master master-name="Report">
<fo:repeatable-page-master-alternatives>
<fo:conditional-page-master-reference master-reference="Cover"
blank-or-not-blank="not-blank"
page-position="first"/>
<fo:conditional-page-master-reference master-reference="Content" blank-or-not-blank="not-blank"/>
</fo:repeatable-page-master-alternatives>
</fo:page-sequence-master>
</fo:layout-master-set>
<fo:page-sequence master-reference="Report">
<fo:static-content font-family="LiberationSansNarrow"
font-size="12pt"
color="black"
flow-name="region-before-cover">
<fo:block>
<fo:table width="100%" table-layout="fixed">
<fo:table-column column-width="proportional-column-width(40)"/>
<fo:table-column column-width="proportional-column-width(20)"/>
<fo:table-column column-width="proportional-column-width(40)"/>
<fo:table-body>
<fo:table-row>
<fo:table-cell text-align="right" display-align="after" padding-bottom="5mm">
<fo:block font-family="LiberationSansNarrow" font-size="8pt" color="black">
<fo:block font-weight="bold" color="#FF5C00">Radically Open Security B.V.</fo:block>
<fo:block>Overdiemerweg 28</fo:block>
<fo:block>1111 PP Diemen</fo:block>
<fo:block>The Netherlands</fo:block>
</fo:block>
</fo:table-cell>
<fo:table-cell text-align="center">
<fo:block>
<fo:external-graphic padding-top="0cm"
padding-bottom="0cm"
src="url(../graphics/logo_alt.png)"
width="30mm"
content-width="scale-to-fit"
content-height="scale-to-fit"
scaling="uniform"/>
</fo:block>
</fo:table-cell>
<fo:table-cell display-align="after" padding-bottom="5mm">
<fo:block font-family="LiberationSansNarrow" font-size="8pt" color="black">
<fo:block font-weight="bold" color="#FF5C00">www.radicallyopensecurity.com</fo:block>
<fo:block>info@radicallyopensecurity.com</fo:block>
<fo:block>Chamber of Commerce 60628081</fo:block>
<fo:block>VAT number 853989655B01</fo:block>
</fo:block>
</fo:table-cell>
</fo:table-row>
</fo:table-body>
</fo:table>
</fo:block>
</fo:static-content>
<fo:static-content font-family="LiberationSansNarrow"
font-size="12pt"
color="black"
flow-name="region-before-content">
<fo:block text-align="right" font-weight="normal"/>
</fo:static-content>
<fo:static-content font-family="LiberationSansNarrow"
font-size="12pt"
color="black"
flow-name="region-after-cover">
<fo:block text-align-last="justify" text-align="center">
<fo:inline font-family="LiberationSansNarrow" font-size="8pt" color="#FF5C00">Please keep digital unless absolutely required. Read the (unique) terms and conditions of Radically Open Security at: https://radicallyopensecurity.com/TermsandConditions.pdf</fo:inline>
</fo:block>
</fo:static-content>
<fo:static-content font-family="LiberationSansNarrow"
font-size="12pt"
color="black"
flow-name="region-after-content">
<fo:block text-align-last="justify" text-align="center">
<fo:inline font-family="LiberationSansNarrow" font-size="8pt" color="#FF5C00">Please keep digital unless absolutely required. Read the (unique) terms and conditions of Radically Open Security at: https://radicallyopensecurity.com/TermsandConditions.pdf</fo:inline>
</fo:block>
</fo:static-content>
<fo:flow font-family="LiberationSansNarrow"
font-size="12pt"
color="black"
flow-name="region-body">
<fo:block>
<fo:block font-weight="bold"
keep-with-next.within-page="always"
text-align="center"
color="white"
font-size="18pt"
margin-bottom="1cm"
background-color="#FF5C00"
margin-top="1cm">Invoice nr. 00/000</fo:block>
<fo:block>
<fo:block>Sitting Duck B.V.</fo:block>
<fo:block>T.a.v. </fo:block>
<fo:block>Reed Street 42</fo:block>
<fo:block>0000 Pond City</fo:block>
<fo:block>Amazonia</fo:block>
<fo:block>freemoney@sittingduck.com</fo:block>
</fo:block>
<fo:block margin-bottom="8mm" text-align="right">August 25, 2016</fo:block>
<fo:block font-weight="bold"
keep-with-next.within-page="always"
text-align="center"
color="white"
font-style="normal"
font-size="18pt"
margin-bottom="0.8cm"
background-color="silver">Services Delivered</fo:block>
<fo:block>
<fo:table margin-bottom="8mm"
background-color="#EEEEEE"
width="100%"
table-layout="fixed">
<fo:table-column column-width="proportional-column-width(90)"/>
<fo:table-column column-width="proportional-column-width(10)"/>
<fo:table-body>
<fo:table-row>
<fo:table-cell padding="2pt"
border-collapse="separate"
border-spacing="5mm"
padding-top="2pt">
<fo:block>6-day penetration test Sitting Duck</fo:block>
</fo:table-cell>
<fo:table-cell padding="2pt"
border-collapse="separate"
border-spacing="5mm"
padding-top="2pt"
text-align="right">
<fo:block margin-bottom="5pt">€ 100.--</fo:block>
</fo:table-cell>
</fo:table-row>
</fo:table-body>
</fo:table>
</fo:block>
<fo:block margin-bottom="8mm">Radically Open Security B.V. donates &gt; 90% of its entire profits to
charity.</fo:block>
<fo:block margin-bottom="8mm">Please be so kind to pay within 30 days
by money transfer, to the following account:</fo:block>
<fo:block margin-bottom="8mm" margin-left="1.3cm">
<fo:block>Radically Open Security B.V.</fo:block>
<fo:block>IBAN: NL06 RABO 0188 2813 12</fo:block>
<fo:block>Reference: 00/000</fo:block>
</fo:block>
<fo:block>Kind regards,</fo:block>
<fo:block>your dedicated team at</fo:block>
<fo:block font-style="italic">Radically Open Security B.V.</fo:block>
</fo:block>
</fo:flow>
</fo:page-sequence>
</fo:root>

BIN
xml/target/invoice.pdf
View File

Binary file not shown.

BIN
xml/target/offerte-latest.pdf
View File

Binary file not shown.

568
xml/target/offerte.fo
View File

@ -1,568 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?><fo:root xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:fo="http://www.w3.org/1999/XSL/Format"><fo:layout-master-set><fo:simple-page-master margin-top="2cm" margin-bottom="1.8cm" margin-left="2cm" margin-right="2cm" page-height="29.7cm" page-width="21.0cm" master-name="Cover"><fo:region-body margin-top="1cm" margin-bottom="1cm" region-name="region-body"/><fo:region-before precedence="true" extent="0.6cm" region-name="region-before-cover"/><fo:region-after precedence="true" extent="0.6cm" padding="0" region-name="region-after-cover"/></fo:simple-page-master><fo:simple-page-master margin-top="2cm" margin-bottom="1.8cm" margin-left="2cm" margin-right="2cm" page-height="29.7cm" page-width="21.0cm" master-name="Content"><fo:region-body margin-top="1cm" margin-bottom="1cm" region-name="region-body"/><fo:region-before precedence="true" extent="0.6cm" region-name="region-before-content"/><fo:region-after precedence="true" extent="0.6cm" padding="0" region-name="region-after-content"/></fo:simple-page-master><fo:page-sequence-master master-name="Report"><fo:repeatable-page-master-alternatives><fo:conditional-page-master-reference master-reference="Cover" blank-or-not-blank="not-blank" page-position="first"/><fo:conditional-page-master-reference master-reference="Content" blank-or-not-blank="not-blank"/></fo:repeatable-page-master-alternatives></fo:page-sequence-master></fo:layout-master-set><fo:page-sequence master-reference="Report"><fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black" flow-name="region-before-cover"><fo:block text-align="right" font-weight="bold"/></fo:static-content><fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black" flow-name="region-before-content"><fo:block text-align="right" font-weight="bold"/></fo:static-content><fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black" flow-name="region-after-cover"><fo:block text-align-last="justify"><fo:page-number/>/<fo:page-number-citation ref-id="EndOfDoc"/><fo:leader leader-pattern="space"/><fo:inline font-family="LiberationSansNarrow" font-size="8pt" color="black">Radically Open Security B.V. - Chamber of Commerce
60628081</fo:inline></fo:block></fo:static-content><fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black" flow-name="region-after-content"><fo:block text-align-last="justify"><fo:page-number/>/<fo:page-number-citation ref-id="EndOfDoc"/><fo:leader leader-pattern="space"/><fo:inline font-family="LiberationSansNarrow" font-size="8pt" color="black">Radically Open Security B.V. - Chamber of Commerce
60628081</fo:inline></fo:block></fo:static-content><fo:flow font-family="LiberationSansNarrow" font-size="12pt" color="black" flow-name="region-body"><fo:block>
<fo:block text-align="center" margin-bottom="5pt"><fo:external-graphic padding-top="2cm" padding-bottom="3cm" src="url(../graphics/logo.png)" width="70mm" content-width="scale-to-fit" content-height="scale-to-fit" scaling="uniform"/></fo:block><fo:block font-weight="bold" keep-with-next.within-page="always" text-align="center" color="white" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">RADICALLY OPEN SECURITY B.V.</fo:block><fo:block text-align="center" margin-bottom="1cm" font-size="16pt" font-weight="bold">OFFER</fo:block><fo:block font-weight="bold" keep-with-next.within-page="always" text-align="center" color="white" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">PENETRATION TESTING SERVICES</fo:block><fo:block text-align="center" margin-bottom="1cm" font-size="16pt" font-weight="bold">FOR</fo:block><fo:block font-weight="bold" keep-with-next.within-page="always" text-align="center" color="white" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#999999">Sitting Duck B.V.</fo:block><fo:block text-align="center" margin-bottom="1cm" font-size="16pt" font-weight="bold" break-after="page">August 25, 2016</fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">Introduction</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">Sitting Duck B.V. (hereafter “<fo:inline font-weight="bold">Sitting Duck</fo:inline>”), with its registered office
at Reed Street 42, Pond City, Amazonia, has requested Radically Open Security B.V.
(hereafter “<fo:inline font-weight="bold">ROS</fo:inline>”) to perform penetration testing services.
Motivation for this request is that Sitting Duck wishes to get a better
insight in ...</fo:block>
<fo:block margin-bottom="1.5cm" line-height="18pt">This offer sets out the scope of the work and the terms and conditions under
which ROS will perform these services.</fo:block>
</fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">Project Overview</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS will perform penetration testing services
for Sitting Duck of the systems described below. The services are intended
to gain insight into the security of these systems. To do so, ROS
will access these systems, attempt to find vulnerabilities, and gain
further access and elevated privileges by exploiting any vulnerabilities
found.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS will test the following targets
(the “<fo:inline font-weight="bold">Targets</fo:inline>”):</fo:block>
<fo:list-block margin-bottom="10pt" line-height="18pt" provisional-distance-between-starts="0.75cm" provisional-label-separation="2.5mm" space-after="12pt" start-indent="1cm"><fo:list-item><fo:list-item-label end-indent="label-end()"><fo:block><fo:inline>•</fo:inline></fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>dsfsd</fo:block></fo:list-item-body></fo:list-item><fo:list-item><fo:list-item-label end-indent="label-end()"><fo:block><fo:inline>•</fo:inline></fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>adfsd</fo:block></fo:list-item-body></fo:list-item></fo:list-block>
<fo:block margin-bottom="1.5cm" line-height="18pt">ROS will test for the presence of the
most common vulnerabilities, using both publicly available vulnerability
scanning tools and manual testing. ROS shall perform a
6-day, crystal-box, intrusive test via the internet.</fo:block>
</fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">Prerequisites</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">In order to perform this audit, ROS will need access to:</fo:block>
<fo:list-block provisional-distance-between-starts="0.75cm" provisional-label-separation="2.5mm" margin-bottom="1.5cm" space-after="12pt" start-indent="1cm"><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Test accounts</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Test environment</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Contact information of system administrators, in case of emergencies</fo:block></fo:list-item-body></fo:list-item></fo:list-block>
</fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">Disclaimer</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">It is possible that in the course of the penetration testing, ROS
might hinder the operations of the Targets or cause damage to the Targets.
Sitting Duck gives permission for this, to the extent that ROS
does not act negligent or recklessly. Sitting Duck also warrants it has the
authority to give such permission.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">It is important to understand the limits of ROS's services.
ROS does not (and cannot) give guarantees that something is
secure. ROS, instead, has an obligation to make reasonable
efforts (in Dutch: “<fo:inline font-style="italic">inspanningsverplichting</fo:inline>”) to perform the
agreed services.</fo:block>
<fo:block margin-bottom="1.5cm" line-height="18pt">ROS and Sitting Duck agree to take reasonable measures to
maintain the confidentiality of information and personal data they gain
access to in the course of performing the penetration test within the
Targets. Both parties will use the information and data they receive or
access only for the purposes outlined in this agreement.
ROS warrants that all core-team members, external freelancers,
and volunteers it engages to perform the penetration test have signed a
non-disclosure agreement (NDA). </fo:block>
</fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">Pentest Methodology</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">During the execution of penetration tests, Radically Open Security B.V. broadly follows
the following steps:</fo:block>
<fo:list-block provisional-distance-between-starts="0.75cm" provisional-label-separation="2.5mm" space-after="12pt" start-indent="1cm"><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>1. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Requirements Gathering and Scoping; </fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>2. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Discovery;</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>3. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Validation;</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>4. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Information Collection;</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>5. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Threat and Vulnerability Analysis;</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>6. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Exploitation;</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>7. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Reporting;</fo:block></fo:list-item-body></fo:list-item></fo:list-block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">Step 1: Requirements Gathering and Scoping</fo:inline> <fo:block/>
The expectations of both parties are discussed and agreements are made regarding
how to conduct the test(s). For example, contact details and the pentest's scope
are documented.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">Step 2: Discovery</fo:inline><fo:block/>
As much information as possible about the target organization and target objects
is collected. This information is passively gathered, primarily from public sources.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">Step 3: Validation</fo:inline><fo:block/>
All customer-specified systems are cross-referenced with findings from the
Discovery step. We do this to ensure that discovered systems are legal property
of the customer and to verify the scope with the customer.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">Step 4: Information Collection</fo:inline><fo:block/>
Information from Step 2 is now used to actively collect information about the
system. Activities conducted during this phase may include:
Determining which parts of the various components will be investigated;
Testing for the presence of known vulnerabilities, using automated tests;
Identifying the offered services and fingerprinting the software used for them.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">Step 5: Threat and Vulnerability Analysis</fo:inline><fo:block/>
Potential threats and vulnerabilities are indexed, based upon the collected information.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">Step 6: Exploitation</fo:inline><fo:block/>
Attempt to use vulnerabilities of the various components.
The diverse applications and components of the client's infrastructure are
relentlessly probed for frequently occurring design, configuration, and
programming errors.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">Note: Radically Open Security B.V. uses open-source scanning tools to get its bearings,
but generally performs most of the exploitation by hand.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">Step 7: Reporting</fo:inline><fo:block/>
After finishing the audit, a report will be delivered where the step-by-step
approach, results, and discovered vulnerabilities are described. The report and
results will be presented to the responsible project leader or manager at the
client's office.</fo:block>
<fo:block margin-bottom="1.5cm" line-height="18pt">Steps 4-6 may be repeated multiple times per test. For example, access may be
acquired in an external system, which serves as a stepping-stone to the internal network.
The internal network will then be explored in Steps 4 and 5, and exploited in Step 6.</fo:block>
</fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">Code Audit</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS will perform a code audit to aid pentesting. During a
code audit, we manually examine the code of an application to ensure there
are no security vulnerabilities and use our understanding of the code to
guide our pentesting. If vulnerabilities are found, we document those and
suggest ways to fix them. This is done by highly-trained penetration testers
who can both review the raw code as well as interpret the findings of the
automated scans, putting them into context.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">During the code audit portion of penetration tests, we take the following
criteria into account:</fo:block>
<fo:list-block provisional-distance-between-starts="0.75cm" provisional-label-separation="2.5mm" space-after="12pt" start-indent="1cm"><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>1. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Risk Assessment and "Threat Modeling"<fo:block/>
In this step, we analyze the risks of a particular application or system.
Threat Modeling is a specific, structured approach to risk analysis that
enables us to identify, qualify, and address the security risks, thus
dovetailing with the Code Review process. For example, user data is
sacred. We focus on encrypted storage, discover if Sitting Duck employees
have a backdoor into data, and cut loose stolen devices by wiping them
remotely and revoking accounts.</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>2. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Purpose and Context<fo:block/>
Here we focus on risks, especially in the quick and easy sharing of
internal documents and itineraries. Account details aren't so secret
when we know who will be in meetings, but what's being discussed is secret.</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>3. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Complexity<fo:block/>
The complexity of the system is in the frameworks that support the web
application. We'd ignore those and focus only on the custom code and
backend code. We would also
focus on implementation mistakes and known flaws in the systems. For
example, we'd ensure you're using the latest versions of software,
but we wouldn't delve into the framework itself. Since we assume the
code is written by a team, it should be clearly-written code. If you have
several full-release versions, there will undoubtedly be several revisions
and audits on that code.</fo:block></fo:list-item-body></fo:list-item></fo:list-block>
<fo:block margin-bottom="1.5cm" line-height="18pt">For more information, please refer to this link:
<fo:basic-link color="blue" external-destination="https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents">https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents</fo:basic-link></fo:block>
</fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">Team and Reporting</fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-style="italic" font-size="14pt" margin-bottom="0.8cm" background-color="#999999">Team</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS may perform the activities with its core-team
members, external freelancers, and/or volunteers.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">First point of contact for this assignment shall be:</fo:block>
<fo:list-block provisional-distance-between-starts="0.75cm" provisional-label-separation="2.5mm" space-after="12pt" start-indent="1cm"><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Melanie Rieback (ROS)</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>Sir Knowsalot (Sitting Duck)</fo:block></fo:list-item-body></fo:list-item></fo:list-block>
<fo:block margin-bottom="10pt" line-height="18pt">Our penetration tests are run a bit like a Capture The Flag
(CTF) competition:
Radically Open Security B.V. has a geographically distributed team
and we use online infrastructure (RocketChat, GitLabs, etc.)
to coordinate our work. This enables us to invite the
customer to send several technical people from their
organization to join our penetration test team on a volunteer basis.
Naturally, we extend this invitation to Sitting Duck as well.</fo:block>
<fo:block margin-bottom="1.5cm" line-height="18pt">Throughout the course of the audit, we intend to actively
brainstorm with Sitting Duck about both the penetration test and the process.
This is a continuous learning experience for both us and you.
Also, in our experience, a tight feedback loop with the customer
greatly improves both the quality and focus of the engagement.</fo:block>
</fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-style="italic" font-size="14pt" margin-bottom="0.8cm" background-color="#999999">Reporting</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS will report to Sitting Duck on the penetration test.
This report will include the steps it has taken during the
test and the vulnerabilities it has found. It will include
recommendations but not comprehensive solutions on how to address
these vulnerabilities.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">A sample Pentest report can be found here</fo:block>
<fo:list-block provisional-distance-between-starts="0.75cm" provisional-label-separation="2.5mm" space-after="12pt" start-indent="1cm"><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:basic-link color="blue" external-destination="https://github.com/radicallyopensecurity/templates/blob/master/sample-report/REP_SittingDuck-pentestreport-v10.pdf">https://github.com/radicallyopensecurity/templates/blob/master/sample-report/REP_SittingDuck-pentestreport-v10.pdf</fo:basic-link></fo:block></fo:list-item-body></fo:list-item></fo:list-block>
<fo:block margin-bottom="1.5cm" line-height="18pt">One of ROS's Core Principles is the Teach
To Fish principle otherwise known as the 'Peek over our
Shoulder' (PooS) principle. We strive to structure our
services so they can also serve as a teaching or training
opportunity for our customers.</fo:block>
</fo:block>
</fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">Planning and Payment</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS will uphold the following dates for the planning of the services:</fo:block>
<fo:list-block provisional-distance-between-starts="0.75cm" provisional-label-separation="2.5mm" space-after="12pt" start-indent="1cm"><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>ROS performs a penetration test on TBD.</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>ROS delivers the final report TBD.</fo:block></fo:list-item-body></fo:list-item></fo:list-block>
<fo:block margin-bottom="10pt" line-height="18pt">
Our fixed-fee price quote for the above described penetration
testing services is € 100.- excl. VAT and out-of-pocket expenses.
ROS will send an invoice after completion of this assignment.
Sitting Duck will pay the agreed amount within 30 days of the invoice date.
</fo:block>
<fo:block margin-bottom="1.5cm" line-height="18pt">
Any additional work will be charged separately. An hourly
rate for additional work will be agreed upon before starting this work.
</fo:block>
</fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">About Radically Open Security B.V.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">Radically Open Security B.V. is the world's first not-for-profit computer security consultancy.
We operate under an innovative new business model whereby we use a Dutch fiscal
entity, called a “Fiscaal Fondswervende Instelling” (Fiscal Fund raising Institution),
as a commercial front-end to send 90% of our profits, tax-free, to a not-for-profit
foundation, Stichting NL net. The NLnet Foundation has supported open-source,
digital rights, and Internet research for almost 20 years.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">In contrast to other organizations, our profits do not benefit shareholders,
investors, or founders. Our profits benefit society. As an
organization without a profit-motive, we recruit top-name, ethical security
experts and find like-minded customers that want to use their IT security
budget as a "vote" to support socially responsible entrepreneurship. The rapid
pace of our current growth reflects the positive response the market has to our
idealistic philosophy and innovative business model.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">Radically Open Security B.V. has a number of values that we describe as our
“Core Principles.” These are:</fo:block>
<fo:list-block provisional-distance-between-starts="0.75cm" provisional-label-separation="2.5mm" space-after="12pt" start-indent="1cm"><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">No sketchy stuff</fo:inline><fo:block/>
We don't build surveillance systems, hack activists, sell exploits to
intelligence agencies, or anything of the sort. If a job is even remotely
morally questionable, we simply won't do it.</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">Open-Source</fo:inline><fo:block/>
Releasing ALL tools and frameworks, we build as open-source on our website.</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">Teach to fish</fo:inline><fo:block/>
During engagements, we will not only share our results with your company,
but also provide a step-by-step description of how to perform the same
audit or procedure without us. We want to demystify what we're doing.
It's not rocket science, and we genuinely want to help your company
improve its security posture, even if it costs us repeat business.</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">IoCs for free</fo:inline><fo:block/>Releasing ALL collected threat intelligence
(Indicators of Compromise) into an open-source database that everyone can freely use.
(Sanitized in agreement with customers.)</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">Zero days</fo:inline><fo:block/>
We don't sell zero-days - we responsibly disclose them!</fo:block></fo:list-item-body></fo:list-item></fo:list-block>
<fo:block margin-bottom="1.5cm" line-height="18pt">For more information about Radically Open Security B.V., we refer you to our website:
<fo:basic-link color="blue" external-destination="http://www.radicallyopensecurity.com">www.radicallyopensecurity.com</fo:basic-link>.</fo:block>
</fo:block>
<fo:block margin-bottom="1.5cm">
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">Terms and Conditions</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS will only perform the penetration test
if it has obtained the permission from Sitting Duck B.V. and dafaf
as set out in the penetration testing waiver, attached as <fo:inline font-weight="bold">Annex 2</fo:inline>,
or provided in a separate document.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS performs this assignment on the basis of its general
terms and conditions, which are attached to this offer as Annex 1.
ROS rejects any general terms and conditions used by
Sitting Duck.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">In order to agree to this offer, please sign this letter in duplicate
and return it to:</fo:block>
<fo:block keep-together.within-page="always" margin-left="1.5cm" line-height="18pt">
<fo:block>Melanie Rieback</fo:block>
Radically Open Security B.V.<fo:block/>Overdiemerweg 28<fo:block/>1111 PP Diemen
<fo:block>melanie@radicallyopensecurity.com</fo:block>
</fo:block>
<fo:block margin-top="1.5cm" keep-together.within-page="always"><fo:block font-weight="bold" keep-with-next.within-page="always" text-align="center" color="white" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#999999">Signed in duplicate</fo:block><fo:block><fo:table border-width="1pt" border-style="solid" border-color="black" width="100%" table-layout="fixed"><fo:table-column border-width="1pt" border-style="solid" border-color="black" column-width="proportional-column-width(50)"/><fo:table-column border-width="1pt" border-style="solid" border-color="black" column-width="proportional-column-width(50)"/><fo:table-body><fo:table-row><fo:table-cell padding="2pt"><fo:block>August 25, 2016</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>August 25, 2016</fo:block></fo:table-cell></fo:table-row><fo:table-row><fo:table-cell padding="2pt"><fo:block/></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Diemen</fo:block></fo:table-cell></fo:table-row><fo:table-row><fo:table-cell padding="2pt"><fo:block> </fo:block><fo:block> </fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block> </fo:block><fo:block> </fo:block></fo:table-cell></fo:table-row><fo:table-row><fo:table-cell padding="2pt"><fo:block>I.M. Portant</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Melanie Rieback</fo:block></fo:table-cell></fo:table-row><fo:table-row><fo:table-cell padding="2pt"><fo:block font-weight="bold">Sitting Duck B.V.</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block font-weight="bold">Radically Open Security B.V.</fo:block></fo:table-cell></fo:table-row></fo:table-body></fo:table></fo:block></fo:block>
</fo:block>
<fo:block margin-bottom="1.5cm" break-before="page">
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">Annex 1<fo:block/>General Terms and Conditions</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">What is this document?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">These are the general terms and conditions (in Dutch: “<fo:inline font-style="italic">algemene voorwaarden</fo:inline>”)
of Radically Open Security B.V. (ROS). This version of the general terms and conditions
is dated 15 July 2014.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">In the spirit of ROS's philosophy, ROS wants these
general terms and conditions to be as understandable as possible. If you have any
questions, feel free to ask for clarification.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">What is Radically Open Security B.V.?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS is a private limited liability company under Dutch law located
in Amsterdam, The Netherlands. It is registered at the Dutch Chamber of Commerce
under no. 60628081.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">To what do these terms and conditions apply?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">These general terms and conditions apply to all agreements between ROS
and the customer. ROS rejects any terms and conditions used by the
customer. The parties can only deviate from these general terms and conditions
in writing. These general terms and conditions are also intended to benefit any
person employed or engaged by ROS during the performance of an assignment.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">How does ROS agree on an assignment?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS wants both parties to have a clear picture of an assignment
before it starts. This means there only is an agreement between ROS
and the customer after ROS sends a written offer containing the key
terms of the agreement and the customer subsequently accepts the offer.
Communications other than the written offer do not form part of the agreement.
ROS can rescind an offer until it is accepted by the customer.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">What can the customer expect from ROS?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">It is important to understand the limits of ROS's services.
ROS does not (and cannot) give guarantees that something is secure.
ROS instead has an obligation to make reasonable efforts
(in Dutch: “<fo:inline font-style="italic">inspanningsverplichting</fo:inline>”) to perform the agreed services.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS will make reasonable efforts to perform the assignment in
accordance with the plan set out in the offer (if any). If ROS
expects it will not fulfill the plan as documented, it will let the customer
know without delay. ROS is not automatically deemed to be in default
if it doesn't meet the plan.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS will make reasonable efforts to avoid disruption of the
customer's operations and damage to its owned or operated systems, but it
cannot guarantee that this will be avoided. The customer agrees
to this. ROS is not obliged to restore the systems or recover any
data deleted or amended in the course of the assignment.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">What can ROS expect from the customer?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">The customer will provide ROS with all means necessary to allow
ROS to perform the agreed services. If ROS needs explicit
permission from the customer to perform its services (for example, when doing
penetration tests) the customer gives this permission. The customer also warrants
that it has the legal authority to give this permission.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">How do the parties handle confidential information?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS and the customer will not disclose to others confidential
information and personal data they receive from each other or gain access to in
the course of an assignment. ROS has the right to disclose this
information and data to persons engaged by ROS, but only if these
persons have a similar confidentiality obligation vis-á-vis ROS.
Any person will only use the information and data it receives or gains access
to for the purposes following from the agreement. Both parties will take reasonable
measures to maintain the confidentiality of the information and data they received
or gained access to, and will ensure that persons engaged by them do the same.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">What does ROS do with vulnerabilities it finds in the course
of an assignment?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">If ROS in the course of an assignment finds a vulnerability which
might affect the customer, it will report this to the customer. If a vulnerability
might affect third parties as well, ROS retains the right to disclose
this vulnerability also to others than the customer. It will only do so after
having given the customer a reasonable period to take measures minimising the
impact of the vulnerability, in line with responsible disclosure best practices.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">What does ROS do with indicators of compromise it finds?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">If ROS in the course of an assignment finds indicators of
compromise, such as malware signatures and IP-addresses, it will report this to
the customer. ROS retains the right to also publish this information
in a publicly accessible database. It will only do so after it has given the
customer the opportunity to object to the publication of data which would
negatively impact the customer.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">Who owns the products developed in the course of the assignment?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS retains any intellectual property rights in products developed
for an assignment, such as software and reports. ROS, however, wants
to teach as many customers as possible 'how to fish'.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">For software it developed, this means that ROS gives the customer
a permanent, non-exclusive, transferable, sub-licensable, worldwide license to
distribute and use the software in source and binary forms, with or without
modification (very similar to the BSD-license). If ROS's software
is based on other software which is provided under a license which restricts
ROS's ability to license its own software (such as the GPLv3 license),
the more restrictive license will apply.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">For other products it developed, such as reports and analyses, ROS
gives the customer the same license, but this license is exclusive to the customer
and does not contain the right to modification. The latter condition is intended
to ensure that the customer will not change ROS's products, such as
reports and analyses. ROS retains the right to reuse these products,
for example for training and marketing purposes. ROS will remove any
confidential information from these products before publication.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS retains title to any property transferred to the customer
until all outstanding payments by the customer have been done in full (in Dutch:
“<fo:inline font-style="italic">eigendomsvoorbehoud</fo:inline>”). ROS also only gives a license after
all outstanding payments have been done in full.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">Who will perform the assignment?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS has the right to appoint the persons who will perform the
assignment. It has the right to replace a person with someone with at least the
same expertise, but only after having consulted with the customer. This means
that section 7:404 Dutch Civil Code (in Dutch: “<fo:inline font-style="italic">Burgerlijk Wetboek</fo:inline>”) is
excluded.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">Due to the nature of ROS's business, ROS regularly
works with freelancers for the performance of its assignments. ROS
has the right to engage third parties, including freelancers, in the course of
the performance of an assignment.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS wants to be able to use the expertise of its entire team to
help with an assignment. This means that in the course of an assignment, it is
possible that the persons performing the assignment will consult with and be
advised by others in ROS's team. These others will of course be
bound by the same confidentiality obligations as the persons performing the assignment.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">What happens when the scope of the assignment is bigger than agreed?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS and the customer will attempt to precisely define the scope
of the assignment before ROS starts. If during the course of the
assignment, the scope turns out to be bigger than expected, ROS
will report this to the customer and make a written offer for the additional work.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">How is payment arranged?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">All amounts in ROS's offers are in Euros, excluding VAT and
other applicable taxes, unless agreed otherwise.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">For assignments where the parties agreed to an hourly fee, ROS
will send an invoice after each month. For other assignments, ROS
will send an invoice after completion of the assignment, and at moments set out
in the offer (if any). The customer must pay an invoice within 30 days of the
invoice date.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">ROS may, prior to an assignment, agree on the payment of a
deposit by the customer. ROS will settle deposits with interim
payments or the final invoice for the assignment.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">If the payment is not received before the agreed term, the client will be
deemed to be in default without prior notice. ROS will then have
the right to charge the statutory interest (in Dutch: “<fo:inline font-style="italic">wettelijke rente</fo:inline>”)
and any judicial and extrajudicial (collection) costs (in Dutch:
“<fo:inline font-style="italic">gerechtelijke- en buitengerechtelijke (incasso)kosten</fo:inline>”).</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">If the customer cancels or delays the assignment two weeks before it starts,
ROS is entitled to charge the customer 50% of the agreed price.
If the customer cancels or delays the assignment after it already started,
ROS is entitled to charge the customer 100% of the agreed price.
ROS is entitled to charge a pro rata percentage in the case of
cancellation or delay shorter than two weeks before the start of the assignment
(i.e. a cancellation one week before the assignment would entitle ROS
to charge 75% of the agreed price).</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">For what can ROS be held liable?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">Any liability of ROS resulting from or related to the performance
of an assignment, shall be limited to the amount that is paid out in that
specific case under an applicable indemnity insurance of ROS,
if any, increased by the amount of the applicable deductible (in Dutch:
“<fo:inline font-style="italic">eigen risico</fo:inline>”) which under that insurance shall be borne by ROS.
If no amount is paid out under an insurance, these damages are limited to the
amount already paid for the assignment, with a maximum of EUR 10.000.
Each claim for damages shall expire after a period of one month from the day
following the day on which the customer became aware or could reasonably
be aware of the existence of the damages.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">To make things clear, ROS is not liable if a person associated
with ROS acts contrary to any confidentiality or non-compete
obligation vis-á-vis the customer or a third party, this person might have
agreed to in another engagement.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">What happens when third parties lodge a claim or initiate criminal proceedings
against ROS?</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">The customer shall indemnify ROS and any person employed or
engaged by ROS for any claims of third parties which are in any
way related to the activities of ROS and any person employed or
engaged by ROS for the customer.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">Should a third party lodge a claim against ROS or any of the
consultants it engaged or employed as a result of the performance of the assignment
for the customer, then the customer will co-operate fully with ROS
in defending against this claim, including by providing to ROS any
evidence it has which relates to this claim.
Should the public prosecutor initiate an investigation or criminal proceedings
against ROS or any of the consultants it engaged or employed as a
result of the performance of the assignment for the customer, then the customer
will also co-operate fully with ROS in defending against this
investigation or proceedings, including by providing any evidence it has which
relates to this investigation or these proceedings.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">The customer shall reimburse ROS and any person employed or
engaged by ROS all costs of legal defence and all damages in
relation to these claims, investigations or proceedings. This provision does
not apply to the extent a claim, investigation, or proceeding is the result of
the intent or recklessness (in Dutch: “<fo:inline font-style="italic">opzet of bewuste roekeloosheid</fo:inline>”)
of ROS or a person employed or engaged by ROS.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">When is this agreement terminated and what happens then?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">Each of the parties may terminate the agreement wholly or partly without
prior notice if the other party is declared bankrupt or is being wound up or if
the other party's affairs are being administered by the court
(in Dutch: “surséance van betaling”).</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">When can ROS not be expected to perform the assignment?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">In the case of force majeure (in Dutch: “<fo:inline font-style="italic">overmacht</fo:inline>”) as a result of
which ROS cannot reasonably be expected to perform the assignment,
the performance will be suspended. Situations of force majeure include cases
where means, such as soft- and hardware, which are prescribed by the customer
do not function well. The agreement may be terminated by either party if a
situation of force majeure has continued longer than 90 days. The customer will
then have to pay the amount for the work already performed pro rata.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold">Which law applies and which court is competent?</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">Dutch law applies to the legal relationship between ROS and its
customers. Any dispute between ROS and a customer will be resolved
in the first instance exclusively by the District Court (in Dutch:
“<fo:inline font-style="italic">rechtbank</fo:inline>”) of Amsterdam, the Netherlands.</fo:block>
</fo:block>
<fo:block margin-bottom="1.5cm" break-before="page"><fo:block font-weight="bold" keep-with-next.within-page="always" text-align="center" color="white" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00">ANNEX 2<fo:block/></fo:block>
<fo:block keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-style="italic" font-size="14pt" margin-bottom="0.8cm" background-color="#999999">penetration test - WAIVER</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold"><fo:inline font-style="italic">Sitting Duck B.V.</fo:inline> (<fo:inline font-style="italic">Sitting Duck</fo:inline>)</fo:inline>, with its registered office at Reed Street 42,
Pond City, Amazonia and duly represented by <fo:inline font-weight="bold">B.I.G. Wig</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">
<fo:inline font-weight="bold">WHEREAS:</fo:inline>
</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">A. Sitting Duck wants some of its systems to be tested,
Radically Open Security B.V. (“ROS”) has offered to perform
such testing for Sitting Duck and
Sitting Duck has accepted this offer.
The assignment will be performed by ROS' core-team members, external
freelancers, and/or volunteers (the “Consultants”).</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">B. Some of the activities performed by
ROS and the
Consultants during the course of this assignment could be considered
illegal, unless Sitting Duck has given permission for
these activities. ROS
and the Consultant will only perform such activities if they have received
the required permission.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">C. Sitting Duck is
willing to give such permission to ROS, the Consultants and any
other person ROS might
employ or engage for the assignment.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">
<fo:inline font-weight="bold">DECLARES AS FOLLOWS:</fo:inline>
</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">1. Sitting Duck is
aware that ROS will
perform penetration testing services of the
following systems of Sitting Duck, as described
below. The services are intended to gain insight in the security of these
systems. To do so, ROS
will access these systems, attempt to find vulnerabilities and gain further
access and elevated privileges by exploiting any vulnerabilities found.
ROS will test the
following targets (the “<fo:inline font-weight="bold">Targets</fo:inline>”):</fo:block>
<fo:list-block margin-bottom="10pt" line-height="18pt" provisional-distance-between-starts="0.75cm" provisional-label-separation="2.5mm" space-after="12pt" start-indent="1cm"><fo:list-item><fo:list-item-label end-indent="label-end()"><fo:block><fo:inline>•</fo:inline></fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>dsfsd</fo:block></fo:list-item-body></fo:list-item><fo:list-item><fo:list-item-label end-indent="label-end()"><fo:block><fo:inline>•</fo:inline></fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>adfsd</fo:block></fo:list-item-body></fo:list-item></fo:list-block>
<fo:block margin-bottom="10pt" line-height="18pt">2. Sitting Duck
hereby grants ROS and
the Consultants on a date to be confirmed by email the broadest permission
possible to perform the assignment, including the permission to:</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">a. enter and use the Targets;</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">b. circumvent, breach, remove and turn off
any security measures protecting the Targets;</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">c. copy, intercept, record, amend, delete,
render unusable or inaccessible any data stored on, processed by or
transferred via the Targets; and</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">d. hinder the access or use of the
Targets,</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">but Sitting Duck
only grants the permission for these activities to the extent that (i) such
activities are necessary to perform the assignment and (ii) such activities
do not disrupt the normal business operations of Sitting Duck.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">3. The permission under Article 1 extends
to all systems on which the Targets run, or which ROS or the Consultant might
encounter while performing the assignment, regardless of whether these
systems are owned by third parties.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">4. Sitting Duck
warrants that it has the legal authority to give the permission set out
under Articles 1 and 2. It also warrants it has obtained the necessary
permissions from any third parties referred to under Article 3.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">5. Should the public prosecutor initiate an
investigation or criminal proceedings against ROS or any of the consultants it
engaged or employed as a result of the performance of the assignment for the
customer, then Sitting Duck will co-operate fully
with ROS in defending
against this investigation or proceedings, including by providing any
evidence it has which relates to this investigation or these
proceedings.</fo:block>
<fo:block margin-top="1.5cm" keep-together.within-page="always"><fo:table width="100%" table-layout="fixed"><fo:table-column column-width="proportional-column-width(10)"/><fo:table-column column-width="proportional-column-width(90)"/><fo:table-body><fo:table-row><fo:table-cell padding="2pt" number-rows-spanned="4"><fo:block>Signed</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block margin-bottom="10pt" line-height="18pt">on    August 25, 2016</fo:block></fo:table-cell></fo:table-row><fo:table-row><fo:table-cell padding="2pt"><fo:block margin-bottom="10pt" line-height="18pt">in     </fo:block></fo:table-cell></fo:table-row><fo:table-row><fo:table-cell padding="2pt"><fo:block margin-bottom="10pt" line-height="18pt">by
   __________________________________</fo:block></fo:table-cell></fo:table-row><fo:table-row><fo:table-cell padding="2pt"><fo:block margin-bottom="10pt" line-height="18pt">for    </fo:block></fo:table-cell></fo:table-row></fo:table-body></fo:table></fo:block>
</fo:block>
</fo:block><fo:block id="EndOfDoc"/></fo:flow></fo:page-sequence></fo:root>

BIN
xml/target/offerte.pdf
View File

Binary file not shown.

BIN
xml/target/report-latest.pdf
View File

Binary file not shown.

132
xml/target/report.fo
View File

File diff suppressed because one or more lines are too long

BIN
xml/target/report.pdf
View File

Binary file not shown.

BIN
xml/target/waiver_....pdf
View File

Binary file not shown.

80
xml/target/waiver_dad.fo
View File

@ -1,80 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?><fo:root xmlns:fo="http://www.w3.org/1999/XSL/Format"><fo:layout-master-set><fo:simple-page-master margin-top="2cm" margin-bottom="1.8cm" margin-left="2cm" margin-right="2cm" page-height="29.7cm" page-width="21.0cm" master-name="Cover"><fo:region-body margin-top="1cm" margin-bottom="1cm" region-name="region-body"/><fo:region-before precedence="true" extent="0.6cm" region-name="region-before-cover"/><fo:region-after precedence="true" extent="0.6cm" padding="0" region-name="region-after-cover"/></fo:simple-page-master><fo:simple-page-master margin-top="2cm" margin-bottom="1.8cm" margin-left="2cm" margin-right="2cm" page-height="29.7cm" page-width="21.0cm" master-name="Content"><fo:region-body margin-top="1cm" margin-bottom="1cm" region-name="region-body"/><fo:region-before precedence="true" extent="0.6cm" region-name="region-before-content"/><fo:region-after precedence="true" extent="0.6cm" padding="0" region-name="region-after-content"/></fo:simple-page-master><fo:page-sequence-master master-name="Report"><fo:repeatable-page-master-alternatives><fo:conditional-page-master-reference master-reference="Cover" blank-or-not-blank="not-blank" page-position="first"/><fo:conditional-page-master-reference master-reference="Content" blank-or-not-blank="not-blank"/></fo:repeatable-page-master-alternatives></fo:page-sequence-master></fo:layout-master-set><fo:page-sequence master-reference="Report"><fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black" flow-name="region-before-cover"><fo:block text-align="right" font-weight="bold"/></fo:static-content><fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black" flow-name="region-before-content"><fo:block text-align="right" font-weight="bold"/></fo:static-content><fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black" flow-name="region-after-cover"><fo:block text-align-last="justify"><fo:page-number/>/<fo:page-number-citation ref-id="EndOfDoc"/><fo:leader leader-pattern="space"/><fo:inline font-family="LiberationSansNarrow" font-size="8pt" color="black"> - Chamber of Commerce
</fo:inline></fo:block></fo:static-content><fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black" flow-name="region-after-content"><fo:block text-align-last="justify"><fo:page-number/>/<fo:page-number-citation ref-id="EndOfDoc"/><fo:leader leader-pattern="space"/><fo:inline font-family="LiberationSansNarrow" font-size="8pt" color="black"> - Chamber of Commerce
</fo:inline></fo:block></fo:static-content><fo:flow font-family="LiberationSansNarrow" font-size="12pt" color="black" flow-name="region-body"><fo:block><fo:block margin-bottom="1.5cm"><fo:block font-weight="bold" keep-with-next.within-page="always" text-align="center" color="white" text-transform="uppercase" font-size="18pt" margin-bottom="1cm" background-color="#FF5C00"/>
<fo:block xmlns:xlink="http://www.w3.org/1999/xlink" keep-with-next.within-page="always" text-align="center" color="white" font-weight="bold" text-transform="uppercase" font-style="italic" font-size="14pt" margin-bottom="0.8cm" background-color="#999999">penetration test - WAIVER</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt"><fo:inline font-weight="bold"><fo:inline font-style="italic">dafaf</fo:inline> (<fo:inline font-style="italic">dad</fo:inline>)</fo:inline>, with its registered office at fsgf,
sgf, sfgsfg and duly represented by <fo:inline font-weight="bold">sgf</fo:inline></fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">
<fo:inline font-weight="bold">WHEREAS:</fo:inline>
</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">A. Sitting Duck wants some of its systems to be tested,
Radically Open Security B.V. (“ROS”) has offered to perform
such testing for Sitting Duck and
Sitting Duck has accepted this offer.
The assignment will be performed by ROS' core-team members, external
freelancers, and/or volunteers (the “Consultants”).</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">B. Some of the activities performed by
ROS and the
Consultants during the course of this assignment could be considered
illegal, unless dad has given permission for
these activities. ROS
and the Consultant will only perform such activities if they have received
the required permission.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">C. dad is
willing to give such permission to ROS, the Consultants and any
other person ROS might
employ or engage for the assignment.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">
<fo:inline font-weight="bold">DECLARES AS FOLLOWS:</fo:inline>
</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">1. dad is
aware that ROS will
perform penetration testing services of the
following systems of dad, as described
below. The services are intended to gain insight in the security of these
systems. To do so, ROS
will access these systems, attempt to find vulnerabilities and gain further
access and elevated privileges by exploiting any vulnerabilities found.
ROS will test the
following targets (the “<fo:inline font-weight="bold">Targets</fo:inline>”):</fo:block>
<fo:list-block margin-bottom="10pt" line-height="18pt" provisional-distance-between-starts="0.75cm" provisional-label-separation="2.5mm" space-after="12pt" start-indent="1cm"><fo:list-item><fo:list-item-label end-indent="label-end()"><fo:block><fo:inline>•</fo:inline></fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>dsfsd</fo:block></fo:list-item-body></fo:list-item><fo:list-item><fo:list-item-label end-indent="label-end()"><fo:block><fo:inline>•</fo:inline></fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block>adfsd</fo:block></fo:list-item-body></fo:list-item></fo:list-block>
<fo:block margin-bottom="10pt" line-height="18pt">2. dad
hereby grants ROS and
the Consultants on a date to be confirmed by email the broadest permission
possible to perform the assignment, including the permission to:</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">a. enter and use the Targets;</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">b. circumvent, breach, remove and turn off
any security measures protecting the Targets;</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">c. copy, intercept, record, amend, delete,
render unusable or inaccessible any data stored on, processed by or
transferred via the Targets; and</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">d. hinder the access or use of the
Targets,</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">but dad
only grants the permission for these activities to the extent that (i) such
activities are necessary to perform the assignment and (ii) such activities
do not disrupt the normal business operations of dad.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">3. The permission under Article 1 extends
to all systems on which the Targets run, or which ROS or the Consultant might
encounter while performing the assignment, regardless of whether these
systems are owned by third parties.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">4. dad
warrants that it has the legal authority to give the permission set out
under Articles 1 and 2. It also warrants it has obtained the necessary
permissions from any third parties referred to under Article 3.</fo:block>
<fo:block margin-bottom="10pt" line-height="18pt">5. Should the public prosecutor initiate an
investigation or criminal proceedings against ROS or any of the consultants it
engaged or employed as a result of the performance of the assignment for the
customer, then dad will co-operate fully
with ROS in defending
against this investigation or proceedings, including by providing any
evidence it has which relates to this investigation or these
proceedings.</fo:block>
<fo:block margin-top="1.5cm" keep-together.within-page="always"><fo:table width="100%" table-layout="fixed"><fo:table-column column-width="proportional-column-width(10)"/><fo:table-column column-width="proportional-column-width(90)"/><fo:table-body><fo:table-row><fo:table-cell padding="2pt" number-rows-spanned="4"><fo:block>Signed</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block margin-bottom="10pt" line-height="18pt">on    August 25, 2016</fo:block></fo:table-cell></fo:table-row><fo:table-row><fo:table-cell padding="2pt"><fo:block margin-bottom="10pt" line-height="18pt">in     </fo:block></fo:table-cell></fo:table-row><fo:table-row><fo:table-cell padding="2pt"><fo:block margin-bottom="10pt" line-height="18pt">by
   __________________________________</fo:block></fo:table-cell></fo:table-row><fo:table-row><fo:table-cell padding="2pt"><fo:block margin-bottom="10pt" line-height="18pt">for    </fo:block></fo:table-cell></fo:table-row></fo:table-body></fo:table></fo:block>
</fo:block></fo:block><fo:block id="EndOfDoc"/></fo:flow></fo:page-sequence></fo:root>

7
xml/xslt/auto.xslt
View File

@ -3,13 +3,6 @@
xmlns:xs="http://www.w3.org/2001/XMLSchema" exclude-result-prefixes="xs"
xmlns:fo="http://www.w3.org/1999/XSL/Format" version="2.0">
<xsl:variable name="denomination">
<xsl:choose>
<xsl:when test="/offerte/meta/pentestinfo/fee/@denomination = 'euro'"></xsl:when>
<xsl:when test="/offerte/meta/pentestinfo/fee/@denomination = 'dollar'">$</xsl:when>
</xsl:choose>
</xsl:variable>
<xsl:template match="generate_targets">
<xsl:call-template name="generate_targets_xslt"/>
</xsl:template>

10
xml/xslt/generate_invoice.xsl
View File

@ -60,8 +60,9 @@
<xsl:variable name="vat" select="$fee div 100 * 21"/>
<xsl:variable name="denomination">
<xsl:choose>
<xsl:when test="/offerte/meta/pentestinfo/fee/@denomination = 'euro'"></xsl:when>
<xsl:when test="/offerte/meta/pentestinfo/fee/@denomination = 'dollar'">$</xsl:when>
<xsl:when test="/offerte/meta/pentestinfo/fee/@denomination = 'eur'"></xsl:when>
<xsl:when test="/offerte/meta/pentestinfo/fee/@denomination = 'gbp'">£</xsl:when>
<xsl:when test="/offerte/meta/pentestinfo/fee/@denomination = 'usd'">$</xsl:when>
</xsl:choose>
</xsl:variable>
<xsl:call-template name="invoiceStart">
@ -108,8 +109,9 @@
<xsl:template name="custom_invoice">
<xsl:variable name="denomination">
<xsl:choose>
<xsl:when test="/invoice/@denomination = 'euro'"></xsl:when>
<xsl:when test="/invoice/@denomination = 'dollar'">$</xsl:when>
<xsl:when test="/invoice/@denomination = 'eur'"></xsl:when>
<xsl:when test="/invoice/@denomination = 'gbp'">£</xsl:when>
<xsl:when test="/invoice/@denomination = 'usd'">$</xsl:when>
</xsl:choose>
</xsl:variable>
<xsl:call-template name="invoiceStart">

8
xml/xslt/generate_offerte.xsl
View File

@ -61,6 +61,14 @@
</xsl:for-each>
</xsl:variable>
<xsl:variable name="denomination">
<xsl:choose>
<xsl:when test="/offerte/meta/pentestinfo/fee/@denomination = 'eur'"></xsl:when>
<xsl:when test="/offerte/meta/pentestinfo/fee/@denomination = 'usd'">$</xsl:when>
<xsl:when test="/offerte/meta/pentestinfo/fee/@denomination = 'gbp'">£</xsl:when>
</xsl:choose>
</xsl:variable>
<!-- ROOT -->
<xsl:template match="/">

91
xml/xslt/qs2offerte.xsl
View File

@ -3,11 +3,20 @@
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:fo="http://www.w3.org/1999/XSL/Format" exclude-result-prefixes="xs" version="2.0">
<xsl:import href="localisation.xslt"/>
<xsl:import href="snippets.xslt"/>
<xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes"/>
<xsl:include href="localisation.xslt"/>
<xsl:variable name="lang" select="/quickscope/meta/offer_language/text()"/>
<xsl:param name="snippetBase" select="'offerte'"/>
<xsl:variable name="snippetSelectionRoot"
select="document('../source/snippets/snippetselection.xml')/snippet_selection/document[@type = $docType]"/>
<xsl:variable name="docType" select="'offerte'"/>
<xsl:variable name="docSubType" select="/quickscope/meta/offer_type"/>
<!-- ROOT -->
<xsl:template match="/">
@ -15,13 +24,15 @@
<offerte xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="../dtd/offerte.xsd"
xmlns:xi="http://www.w3.org/2001/XInclude">
<xsl:attribute name="xml:lang"><xsl:value-of select="$lang"/></xsl:attribute>
<xsl:attribute name="xml:lang">
<xsl:value-of select="$lang"/>
</xsl:attribute>
<xsl:comment>document meta information; to be filled in by the offerte writer</xsl:comment>
<meta>
<offered_service_long>
<!-- if known type, use long service name from localisationstrings.xml; otherwise, use long service name provided in quickscope -->
<xsl:choose>
<xsl:when
test="/quickscope/meta/offer_type = 'pentest' or /*/meta/offer_type = 'basic-scan'">
<xsl:when test="/quickscope/meta/offer_type != 'other'">
<xsl:call-template name="getString">
<xsl:with-param name="stringID"
select="concat('coverpage_service_', /quickscope/meta/offer_type)"
@ -35,9 +46,9 @@
</offered_service_long>
<xsl:comment>if there is a shorter way of saying the same thing, you can type it here (it makes for more dynamic offerte text). If not, just repeat the long name.</xsl:comment>
<offered_service_short>
<!-- if known type, use short service name from localisationstrings.xml; otherwise, use short service name provided in quickscope -->
<xsl:choose>
<xsl:when
test="/*/meta/offer_type = 'pentest' or /*/meta/offer_type = 'basic-scan'">
<xsl:when test="/quickscope/meta/offer_type != 'other'">
<xsl:call-template name="getString">
<xsl:with-param name="stringID"
select="concat('coverpage_service_', /*/meta/offer_type, '_short')"
@ -53,6 +64,7 @@
<xsl:attribute name="href">snippets/company_info.xml</xsl:attribute>
</xsl:element>
<targets>
<!-- copy targets from quickscope -->
<xsl:comment>one target element per target</xsl:comment>
<xsl:for-each select="/*/meta/targets/target">
<xsl:copy>
@ -61,6 +73,7 @@
</xsl:for-each>
</targets>
<permission_parties>
<!-- copy permission parties from quickscope -->
<xsl:element name="xi:include">
<xsl:attribute name="href">client_info.xml</xsl:attribute>
</xsl:element>
@ -71,6 +84,7 @@
</xsl:for-each>
</permission_parties>
<pentestinfo>
<!-- copy various variables from quickscope -->
<duration>
<xsl:value-of select="/*/pentest_info/days"/>
</duration>
@ -90,21 +104,23 @@
<xsl:value-of select="/*/pentest_info/type"/>
</type>
<xsl:comment>please choose one of the following: black-box, grey-box, crystal-box</xsl:comment>
<fee denomination="euro">
<fee denomination="eur">
<xsl:value-of select="/*/pentest_info/rate"/>
</fee>
<xsl:comment>(euro|dollar)</xsl:comment>
<xsl:comment>(eur|usd|gbp)</xsl:comment>
<xsl:if test="*/pentest_info/application_name">
<target_application><xsl:value-of select="/*/pentest_info/application_name"/></target_application>
<target_application>
<xsl:value-of select="/*/pentest_info/application_name"/>
</target_application>
<xsl:comment>name of application/service to be tested (if any; if none, DELETE target_application element)</xsl:comment>
</xsl:if>
</pentestinfo>
<version_history>
<xsl:comment>needed for date on frontpage and in signature boxes; it is possible to add a new &lt;version> after each review; in that case, make sure to update the date/time</xsl:comment>
<version number="auto">
<xsl:attribute name="date"><xsl:value-of
select="format-date(current-date(), '[Y]-[M,2]-[D1]', 'en', (), ())"
select="format-date(current-date(), '[Y]-[M,2]-[D,2]', 'en', (), ())"
/>T10:00:00</xsl:attribute>
<xsl:comment>actual date-time here; you can leave the number attribute alone</xsl:comment>
<v_author>ROS Writer</v_author>
@ -115,8 +131,45 @@
</version_history>
</meta>
<xsl:for-each
select="$snippetSelectionRoot/selection[@subtype = $docSubType]/snippet_group[@set = 'group1']/snippet">
<xsl:element name="xi:include">
<xsl:attribute name="href">
<xsl:call-template name="docCheck">
<xsl:with-param name="fileNameBase" select="."/>
<xsl:with-param name="snippetDirectory" select="$snippetBase"/>
</xsl:call-template>
</xsl:attribute>
</xsl:element>
</xsl:for-each>
<xsl:if test="/*/pentest_info/codeaudit/@perform = 'yes'">
<xsl:for-each
select="$snippetSelectionRoot/selection[@subtype = $docSubType]/snippet_group[@set = 'additionalcodeaudit']/snippet">
<xsl:element name="xi:include">
<xsl:attribute name="href">
<xsl:call-template name="docCheck">
<xsl:with-param name="fileNameBase" select="."/>
<xsl:with-param name="snippetDirectory" select="$snippetBase"/>
</xsl:call-template>
</xsl:attribute>
</xsl:element>
</xsl:for-each>
</xsl:if>
<xsl:for-each
select="$snippetSelectionRoot/selection[@subtype = $docSubType]/snippet_group[@set = 'group2']/snippet">
<xsl:element name="xi:include">
<xsl:attribute name="href">
<xsl:call-template name="docCheck">
<xsl:with-param name="fileNameBase" select="."/>
<xsl:with-param name="snippetDirectory" select="$snippetBase"/>
</xsl:call-template>
</xsl:attribute>
</xsl:element>
</xsl:for-each>
<xsl:comment>Introduction and Scope</xsl:comment>
<!--<xsl:comment>Introduction and Scope</xsl:comment>
<xsl:element name="xi:include">
<xsl:attribute name="href">
<xsl:call-template name="docCheck">
@ -155,8 +208,8 @@
<xsl:with-param name="fileNamePart">methodology</xsl:with-param>
</xsl:call-template>
</xsl:attribute>
</xsl:element>
<xsl:if test="/*/pentest_info/codeaudit/@perform = 'yes'">
</xsl:element>-->
<!--<xsl:if test="/*/pentest_info/codeaudit/@perform = 'yes'">
<xsl:element name="xi:include">
<xsl:attribute name="href">
<xsl:call-template name="docCheck">
@ -165,8 +218,8 @@
</xsl:call-template>
</xsl:attribute>
</xsl:element>
</xsl:if>
<xsl:element name="xi:include">
</xsl:if>-->
<!--<xsl:element name="xi:include">
<xsl:attribute name="href">
<xsl:call-template name="docCheck">
<xsl:with-param name="fileNamePart">teamandreporting</xsl:with-param>
@ -215,13 +268,13 @@
<xsl:with-param name="fileNamePart">waiver</xsl:with-param>
</xsl:call-template>
</xsl:attribute>
</xsl:element>
</xsl:element>-->
</offerte>
</xsl:template>
<xsl:template name="docCheck">
<!--<xsl:template name="docCheck">
<xsl:param name="fileNamePart" select="'none'"/>
<xsl:param name="typeSuffix">
<xsl:choose>
@ -244,6 +297,6 @@
<xsl:value-of select="$fileNameStandard"/>
</xsl:otherwise>
</xsl:choose>
</xsl:template>
</xsl:template>-->
</xsl:stylesheet>