mancitrus/system-prompts-and-models-of-ai-tools
1
0
Fork 0
mirror of https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git synced 2026-06-18 15:29:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
bf91167350
system-prompts-and-models-o.../salesflow-saas/docs/verification/V003_pentest_engagement.md
Claude 3ef62652aa
Phase 2 Execution Waves: 90-day plan + Verification Protocol scaffolding 
Saves the DEALIX_PHASE2_EXECUTION_WAVES.md 90-day plan and scaffolds every
artifact the coding agent can produce. Wave A-E execution is explicitly
blocked until the Week-12 Phase Gate (§3) returns Green.

Added:
  §1 Verification Protocol (V001-V007)
    - scripts/v001_secret_scan.sh — trufflehog + gitleaks full-history scan
    - backend/tests/security/test_rls_fuzz.py — 10K cross-tenant fuzz
    - docs/verification/V003_pentest_engagement.md — vendor RFP + scope
    - docs/verification/V004_no_founder_demo_test.md — 3-tester protocol
    - scripts/v005_truth_registry_audit.py — independent audit tool
    - infra/load-tests/baseline.js — k6 perf baseline
    - frontend/tests/a11y/baseline.spec.ts — Playwright+axe baseline
    - docs/baselines/README.md + docs/verification/README.md

  §2 Founder Decision Sprint (FD001-FD005)
    - docs/internal/legal_entity_decision.md — MISA/DIFC/Delaware brief
    - docs/internal/trademark_status.md — SAIP filing kit tracker
    - docs/hiring/{design_engineer, backend_engineer, head_of_cs}.md

  §3 Customer Validation (CV001-CV004)
    - docs/customer_learnings/pilot_agreement_template.md
    - docs/customer_learnings/pilot_template/success_criteria.md
    - docs/customer_learnings/pilot_template/kickoff_checklist.md
    - docs/customer_learnings/friction_log.md + feature_requests.yaml
    - docs/customer_learnings/weekly_review_template.md

  Truth registry updates
    - docs/registry/TRUTH.yaml — new verification_protocol,
      founder_decision_sprint, customer_validation sections

Gates (post-change):
  architecture_brief.py     40/40
  release_readiness_matrix  94/94 (added 30 new scaffold checks)
  v005_truth_registry_audit 19/19 SUPPORTED
2026-04-17 11:13:27 +00:00

100 lines
3.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# V003 — External Penetration Test Engagement
> **Status**: NOT STARTED — founder action required
> **Gate**: Phase 2 cannot claim "pentested" until written report exists in `docs/internal/pentest_report_YYYYMMDD.pdf`
> **Budget**: $20,000 $40,000 USD
> **Target completion**: Week 10
---
## Vendor Shortlist
| Vendor | Strengths | Indicative Quote | Region | Link |
|--------|-----------|------------------|--------|------|
| **Cure53** | Browser + web app focus; strong LLM/prompt-injection experience | $2535K | Berlin | https://cure53.de |
| **Trail of Bits** | Deep protocol + cryptography + supply chain | $3550K | NYC | https://www.trailofbits.com |
| **NCC Group** | Enterprise-grade, global presence, SOC 2 alignment | $3045K | London/NYC | https://www.nccgroup.com |
| **Securinc** | MENA-focused, Arabic+English reporting | $1525K | Dubai | https://securinc.io |
| **Include Security** | Web + LLM + cloud posture | $2540K | USA | https://includesecurity.com |
---
## Required Scope (send to vendors verbatim)
1. **Authentication & Session**
- JWT lifecycle, refresh token rotation, session fixation
- SSO/SCIM flows (once WorkOS in place — Wave B)
- MFA bypass attempts
2. **Multi-Tenancy Isolation**
- PostgreSQL Row-Level Security bypass attempts
- Cross-tenant data access via ORM, raw SQL, IDOR
- Tenant context tampering via JWT claims
3. **Authorization (ABAC)**
- Policy class A/B/C enforcement (Approval Bridge)
- Approval workflow forgery
- Evidence Pack tampering
4. **LLM & Prompt Injection**
- OWASP LLM Top 10 across all 17 structured output endpoints
- Prompt leakage (model_router, partner dossier, Saudi workflow)
- Jailbreak via Arabic/RTL encoding tricks
- Training data leakage via echo attacks
5. **File Uploads / Evidence**
- Path traversal on uploads
- Polyglot file attacks
- SHA256 tamper detection bypass
6. **Webhooks / Integrations**
- Signature forgery on WhatsApp/Email/ZATCA webhooks
- Replay attacks
- SSRF via outbound connectors
7. **Infrastructure**
- Container escape (if applicable)
- Redis command injection
- CORS / CSP review
---
## Deliverables (required from vendor)
1. Executive summary (12 pages, Arabic + English preferred)
2. Technical findings per OWASP risk rating (Critical / High / Medium / Low / Info)
3. Reproducer steps for every finding
4. Re-test report after remediation
5. Letter of attestation suitable for customer security questionnaires
---
## Acceptance Criteria (Day 90)
- [ ] Vendor engaged with SOW signed
- [ ] Report received (PDF or signed Markdown)
- [ ] 0 open Critical findings
- [ ] ≤2 open High findings (with remediation plan)
- [ ] Re-test scheduled
---
## Founder Checklist
- [ ] Shortlist 3 vendors from table above
- [ ] Send identical RFP; compare price + scope + timeline
- [ ] Legal: confirm NDA in place before sharing architecture docs
- [ ] Legal: confirm whether SAR or USD invoicing (KSA VAT implications)
- [ ] Allocate technical point-of-contact (founder or senior engineer)
- [ ] Schedule kickoff call with vendor
- [ ] Provide vendor: staging URL, test accounts (Tenant A, Tenant B, admin), architecture brief, this scope doc
---
## Anti-Patterns
- ❌ Claiming "pentested" based on automated scans (Snyk, Trivy, Burp alone)
- ❌ Claiming "pentested" based on internal red-team exercise
- ❌ Time-limited engagement <5 business days
- Accepting a vendor whose report template has <10 pages
Reference in New Issue View Git Blame Copy Permalink