False Negatives

In the course of the penetration testing done by our hackers in the Squad Plan, there may be occasions where you notice an open vulnerability that was not reported by them; this would be a false negative. When this happens, to handle this incident with the utmost care, both parties must follow the following protocol.

1. The client reports the incident over any of the available communication channels.
2. The project manager suspends the billing and any pending charges with the administrative area.
3. Fluid Attacks appoints a two-hour meeting with the client in less than eight office hours.
   • The account manager and an ethical hacker will attend the meeting.
   • Fluid Attacks will proceed to analize and understand the client's report.
   • If possible, Fluid Attacks will try to replicate the issue in the environments.
4. Fluid Attacks schedules a weekly meeting about the postmortem status.
   • The meetings will be scheduled for 11:55 AM (GMT-5) and will last 10 minutes.
   • The first meeting will be seven days after the initial two-hour meeting.
   • The meetings will be recurring with no specified end date.
   • From the client's side, at least the reporter of the incident and their two immediate superiors will attend the meetings.
   • From Fluid Attacks' side, at least the account manager and their two immediate superiors will attend the meetings.
   • The meeting will be led by Fluid Attacks' account manager.
   • The agenda for the day would be pending postmortem of both parties and report dates.
5. Fluid Attacks gives the client the potential leak form.
6. The client fills the potential leak form.