The Pentester’s Code of Conduct – Rules that Keep Everyone Safe

When I was hacking at MIT, we carried orange laminated cards with “Hacker Ethics” printed on them. These served two purposes: first, they were useful for carding doors (and we used them routinely to break into places). Second, they served as a constant reminder of how to hack safely and ethically.

Today, “ethical hacking” has grown into a profession. At LMG Security, our pentesters abide by a “Code of Conduct” that is similar in concept to the MIT Hacker Ethics that guided us long ago. This week I am proud to be speaking at AwarenessCon on how we can all work together to ensure that penetration testing is conducted safely and effectively. I will be handing out laminated cards that are both useful for carding doors, and also imprinted with the Pentester’s Code of Conduct. Here they are online, so that everyone can read them, or you can download the file. Please share with your community!

• Know your scope. Make sure that you have reviewed written documentation which clearly describes the goals of testing, what you are testing, how you are testing it, and any constraints.
• Do not exceed your scope.
• Take responsibility. Remember that you are responsible for making your assigned engagements a success.
• Only hack when under signed contract. Once you become a professional penetration tester, you are held to higher standards of ethics (and liability).
• Verify your targets well in advance of the start of an engagement, and have the list in writing.
• Do a thorough and complete job. Don’t cut corners to finish early. If you have concerns about scope and the time allotted, contact a manager right away.
• Take careful notes. Document your tests as you go along, so that others can reproduce and verify your findings. You should be able to list everything you tested, and how you tested it, in detail even if there are no issues found.
• Upload your evidence to a central repository as soon as you can. That way, if you have a hard drive failure or other issue, all is not lost.
• Know your client. Introduce yourself to your point of contact prior to testing. Have a verbal conversation before testing in which you confirm your expectations. Make sure the client knows how to contact you, and you know how to contact the client, at all times during testing.
• Communicate with your teammates, your client, and your project managers regularly throughout the course of an engagement.
• Know your limitations and do not exceed them. If you do not know how to properly test a finding, then learn from someone who knows before trying.
• Treat all others with respect. This includes clients, administrative personnel, colleagues, and enemies.
• Own your mistakes. Take responsibility and respond without delay. Immediately talk to a supervisor and come up with a plan.
• Include your best suggestions for a solution when reporting a problem.
• Google first, then ask questions.
• Share your knowledge. Your experience will benefit our whole community.
• Above all, exercise common sense.

Read more about pen testing and red team pen testing.