mancitrus/system-prompts-and-models-of-ai-tools
1
0
Fork 0
mirror of https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git synced 2026-06-18 07:19:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f75e7c331e
system-prompts-and-models-o.../salesflow-saas/docs/verification/V003_pentest_engagement.md
Claude 3ef62652aa
Phase 2 Execution Waves: 90-day plan + Verification Protocol scaffolding 
Saves the DEALIX_PHASE2_EXECUTION_WAVES.md 90-day plan and scaffolds every
artifact the coding agent can produce. Wave A-E execution is explicitly
blocked until the Week-12 Phase Gate (§3) returns Green.

Added:
  §1 Verification Protocol (V001-V007)
    - scripts/v001_secret_scan.sh — trufflehog + gitleaks full-history scan
    - backend/tests/security/test_rls_fuzz.py — 10K cross-tenant fuzz
    - docs/verification/V003_pentest_engagement.md — vendor RFP + scope
    - docs/verification/V004_no_founder_demo_test.md — 3-tester protocol
    - scripts/v005_truth_registry_audit.py — independent audit tool
    - infra/load-tests/baseline.js — k6 perf baseline
    - frontend/tests/a11y/baseline.spec.ts — Playwright+axe baseline
    - docs/baselines/README.md + docs/verification/README.md

  §2 Founder Decision Sprint (FD001-FD005)
    - docs/internal/legal_entity_decision.md — MISA/DIFC/Delaware brief
    - docs/internal/trademark_status.md — SAIP filing kit tracker
    - docs/hiring/{design_engineer, backend_engineer, head_of_cs}.md

  §3 Customer Validation (CV001-CV004)
    - docs/customer_learnings/pilot_agreement_template.md
    - docs/customer_learnings/pilot_template/success_criteria.md
    - docs/customer_learnings/pilot_template/kickoff_checklist.md
    - docs/customer_learnings/friction_log.md + feature_requests.yaml
    - docs/customer_learnings/weekly_review_template.md

  Truth registry updates
    - docs/registry/TRUTH.yaml — new verification_protocol,
      founder_decision_sprint, customer_validation sections

Gates (post-change):
  architecture_brief.py     40/40
  release_readiness_matrix  94/94 (added 30 new scaffold checks)
  v005_truth_registry_audit 19/19 SUPPORTED
2026-04-17 11:13:27 +00:00

3.4 KiB
Raw Blame History

V003 — External Penetration Test Engagement

Status: NOT STARTED — founder action required Gate: Phase 2 cannot claim "pentested" until written report exists in docs/internal/pentest_report_YYYYMMDD.pdf Budget: $20,000 $40,000 USD Target completion: Week 10

Vendor Shortlist

Vendor Strengths Indicative Quote Region Link
Cure53 Browser + web app focus; strong LLM/prompt-injection experience $2535K Berlin https://cure53.de
Trail of Bits Deep protocol + cryptography + supply chain $3550K NYC https://www.trailofbits.com
NCC Group Enterprise-grade, global presence, SOC 2 alignment $3045K London/NYC https://www.nccgroup.com
Securinc MENA-focused, Arabic+English reporting $1525K Dubai https://securinc.io
Include Security Web + LLM + cloud posture $2540K USA https://includesecurity.com

Required Scope (send to vendors verbatim)

  1. Authentication & Session

    • JWT lifecycle, refresh token rotation, session fixation
    • SSO/SCIM flows (once WorkOS in place — Wave B)
    • MFA bypass attempts

  2. Multi-Tenancy Isolation

    • PostgreSQL Row-Level Security bypass attempts
    • Cross-tenant data access via ORM, raw SQL, IDOR
    • Tenant context tampering via JWT claims

  3. Authorization (ABAC)

    • Policy class A/B/C enforcement (Approval Bridge)
    • Approval workflow forgery
    • Evidence Pack tampering

  4. LLM & Prompt Injection

    • OWASP LLM Top 10 across all 17 structured output endpoints
    • Prompt leakage (model_router, partner dossier, Saudi workflow)
    • Jailbreak via Arabic/RTL encoding tricks
    • Training data leakage via echo attacks

  5. File Uploads / Evidence

    • Path traversal on uploads
    • Polyglot file attacks
    • SHA256 tamper detection bypass

  6. Webhooks / Integrations

    • Signature forgery on WhatsApp/Email/ZATCA webhooks
    • Replay attacks
    • SSRF via outbound connectors

  7. Infrastructure

    • Container escape (if applicable)
    • Redis command injection
    • CORS / CSP review

Deliverables (required from vendor)

  1. Executive summary (12 pages, Arabic + English preferred)
  2. Technical findings per OWASP risk rating (Critical / High / Medium / Low / Info)
  3. Reproducer steps for every finding
  4. Re-test report after remediation
  5. Letter of attestation suitable for customer security questionnaires

Acceptance Criteria (Day 90)

  • Vendor engaged with SOW signed
  • Report received (PDF or signed Markdown)
  • 0 open Critical findings
  • ≤2 open High findings (with remediation plan)
  • Re-test scheduled

Founder Checklist

  • Shortlist 3 vendors from table above
  • Send identical RFP; compare price + scope + timeline
  • Legal: confirm NDA in place before sharing architecture docs
  • Legal: confirm whether SAR or USD invoicing (KSA VAT implications)
  • Allocate technical point-of-contact (founder or senior engineer)
  • Schedule kickoff call with vendor
  • Provide vendor: staging URL, test accounts (Tenant A, Tenant B, admin), architecture brief, this scope doc

Anti-Patterns

  • Claiming "pentested" based on automated scans (Snyk, Trivy, Burp alone)
  • Claiming "pentested" based on internal red-team exercise
  • Time-limited engagement <5 business days
  • Accepting a vendor whose report template has <10 pages