Client Engagement Agreement
Security Research and Disclosure Services
This Agreement is entered into between Expose Security Research, an independent security research service ("Researcher"), and the client identified below ("Client").
Engagement Scope
The engagement covers only the domains, applications, APIs, IP ranges, repositories, accounts, environments, and test windows listed in the authorization form, proposal, statement of work, or written approval from Client. Any change in scope must be approved in writing before testing continues.
Authority
Client confirms that the signer is authorized to bind the organization and that Client owns, controls, or has written permission to authorize testing of every scoped asset. Client must identify vendor-managed, cloud-hosted, shared, or third-party systems before testing begins.
Rules of Engagement
Expose Security Research will follow agreed scope limits, test windows, rate limits, credentials rules, and emergency stop instructions. Destructive testing, persistence, malware, denial-of-service, social engineering, physical attacks, spam, phishing, and bulk data extraction are excluded unless separately authorized in writing.
Deliverables
Deliverables may include a written report, severity ratings, evidence summaries, affected assets, reproduction notes, remediation recommendations, and verification notes. Report contents are based on evidence available during the engagement and do not guarantee that all vulnerabilities were found.
Payment
Client agrees to pay the fees stated in the applicable proposal or invoice. Paid reports and advisory services may be released after payment or according to the written payment schedule. Payment is for documentation, expertise, remediation support, and professional services, not for withholding vulnerability information.
Confidentiality
The parties will protect non-public information received through the engagement, including reports, evidence, credentials, architecture details, business contacts, and communications. Confidentiality does not prevent disclosure required by law, disclosure to professional advisers under confidentiality, or responsible public disclosure consistent with the disclosure policy after private notice and a reasonable resolution window.
Evidence Handling
Expose Security Research minimizes evidence collection and avoids storing raw personal data, credentials, secrets, or regulated data unless strictly necessary to document the finding. Private reports and evidence are stored in access-restricted systems and are not displayed on the public website.
Retention
Unless a statement of work or law requires a different period, authorization records, agreement records, invoices, and audit trail metadata may be retained for up to seven years. Private reports and evidence may be retained for up to twelve months after case closure for verification, dispute handling, and remediation support, then deleted or anonymized where practical.
Remediation
Client remains responsible for deciding whether and how to remediate findings. Expose Security Research may provide remediation advice or verification support, but implementation responsibility remains with Client and its vendors.
Intellectual Property
All research methodologies, tools, processes, templates, and workflows used by Expose Security Research remain the exclusive property of the Researcher. The delivered report is licensed to Client for internal security, legal, audit, insurance, and remediation use only and may not be resold, publicly published, or redistributed without written consent.
No Warranty
Services are provided with professional care but without any guarantee of complete security, regulatory compliance, uninterrupted operation, or discovery of every vulnerability. Security conditions can change after testing is completed.
Limitation of Liability
To the maximum extent permitted by law, Researcher's aggregate liability is limited to fees paid for the engagement during the six months before the claim. Researcher is not liable for indirect, consequential, special, punitive, lost-profit, business interruption, data loss, or reputational damages except where such limitation is prohibited by law.
Indemnification
Client agrees to indemnify and hold harmless Expose Security Research, its operators, contractors, and affiliates from claims, damages, or expenses arising from pre-existing vulnerabilities, Client's failure to implement recommended fixes, Client's lack of authority over scoped systems, inaccurate scope information, unauthorized third-party testing instructions, or unauthorized use of the research findings.
Electronic Acceptance
By submitting this agreement electronically, Client confirms that the signer has read, understood, and agrees to all terms and has authority to bind Client. Electronic acceptance, IP address capture, timestamp capture, and the agreement reference number form the electronic signature record under applicable electronic commerce laws.
Governing Law
Unless a signed statement of work states otherwise, this Agreement is governed by the laws of the State of Delaware, United States, without regard to conflict-of-law rules. Disputes must first be addressed through good-faith negotiation for 30 days. If unresolved, either party may pursue binding arbitration in English under the AAA Commercial Arbitration Rules, with the seat of arbitration in Delaware, except that either party may seek urgent injunctive or equitable relief from a court of competent jurisdiction.
Suspension
Expose Security Research may pause or stop testing if scope authority is unclear, testing creates unexpected risk, Client requests a stop, payment is overdue, or continued work may violate law, provider rules, or third-party rights.
Force Majeure
Neither party shall be liable for delays caused by circumstances beyond their reasonable control.
Notices
Operational and legal notices may be sent to the email addresses provided by the parties. Security notices to Expose Security Research should be sent to security@exposesecurity.online.
Electronic Acceptance
By submitting this agreement electronically the Client confirms they have read, understood, and agree to all terms. Electronic acceptance constitutes a legally binding signature under applicable electronic commerce laws.
Researcher: Expose Security Research