Only pay for valid vulnerabilities. If we don't find anything, it is completely free.
Since 2011, OSI Security has been providing free penetration testing services...
A Result based Penetration Test is suitable for;
Small businesses which cannot afford a traditional Time-costed penetration test.
Businesses which have never had a penetration test before.
Enterprise and corporations which have conducted costly penetration tests in the past, with minimal risks identified.
How it works...
We charge a fee per vulnerability discovered, relevant to its class of vulnerability.
We conduct both automated scanning and manual human penetration testing at no cost. Our experts have over 15 years commercial experience in penetration testing and exploit development.
We will issue a report including IP addresses, DNS records and URLs with the issue explained and solution at no cost.
However, we charge for successfully identifying vulnerabilities and risks:
Informational issues are completely free (such as weak SSL encryption or test pages, spelling mistakes in production).
Low risk vulnerabilities, such as Cross-site scripting (XSS) or default passwords are billed at $300 ex GST per issue.
Medium risk vulnerabilities, such as SQL injection or information leaks are billed at $1500 ex GST per issue.
High and critical vulnerabilities, such as system compromise or code execution are billed at $3000 ex GST per issue.
Note: In some circumstances, risks may change depending on client environment. For example, a Cross-site scripting vulnerability (XSS) may be low risk in a SMB client where no website authentication is required. The same vulnerability within an online e-commerce, credit union or banking system would normally be critically high risk due to the potential impact of the client - which may change the fee.
Terms & Conditions
Application is restricted to Australian entities only. Corporate, government, charity, not for profit and sole traders, trust, or partnerships.
Vulnerability risk, and therefore, "Fee", may change depending on risk to client - see note above.
Any dispute in relation to the vulnerability type or risk will be mediated with a reputable third party or accepted security standards.
OSI Security will notify the client as-and-when a vulnerability is found, as to the nature of the vulnerability and the fee for the class of bug discovered.
When applying for a Result based Penetration Test, OSI Security will ask the client to establish a Maximum amount they wish to spend. Assuming we find enough vulnerabilities to reach this limit, the Result based Penetration Test will end and we will contact the Client representative for further instruction.
Upon completion of the Penetration Test / Vulnerability Audit, a Report document will be issued to the client in the form of an encrypted PDF document (or other file format as agreed).
Any intellectual property developed by OSI Security during the Result based Penetration Test vests in OSI Security and the Client is granted a non-exclusive, perpetual license.
OSI Security reserves the right to refuse to provide a Result based Penetration Test for any reason, including but not limited to; where the Client application appears to be fraudulent, technical resources are not available, or for any other reason.
Penetration Testing may constitute an Offence under Australian law and local jurisdictions. A signed legal contact is required prior to commencement of the Results based Penetration Test.