Details of No-Risk Security Assessments

The following are some legal and financial details involving OneStopAppSecurity’s No-Risk Security Assessments. A basic summary of them is:

OneStopAppSecurity.com will perform and deliver the work specified in the No-Risk Security Assessment contract that will be signed prior to beginning the assessment and, if you feel the completed assessment brought you no or insignificant value, then you can simply decide to notify OneStopAppSecurity.com of this and keep all deliverables of the assessment at no charge.

1. A No-Risk Security Assessment is eight (8) hours of consulting time at a flat fee of $2,000, pending customer acceptance.

2. A No-Risk Security Assessment will be free if none of the following acceptance criteria are met:

   1. The assessment identifies at least two (2) significant security flaws, issues, vulnerabilities, architecture problems, exposures, risks, etc…
   2. The assessment identifies at least four (4) moderate security flaws, issues, vulnerabilities, architecture problems, exposures, risks, etc…
   3. The assessment identifies at least one (1) significant and two (2) moderate security flaws, issues, vulnerabilities, architecture problems, exposures, risks, etc…

3. The term significant in number (2) above is defined as meeting any of the following conditions:

   1. A Base, Temporal or Environmental CVSS 2.0 score of 7 or higher. The value of 7 was chosen as it is the value considered High in the National Vulnerabilities Database (NVD).
   2. A similar vulnerability is ranked as high, severe, critical, urgent, or any other term of similar meaning in any widely recognized and reputable vulnerability database or vulnerability report produced by a widely recognized and reputable vendor.
   3. OneStopAppSecurity.com considers the problem to be significant.

4. The term moderate in number (2) above will be defined as meeting any of the following conditions:

   1. A Base, Temporal or Environmental CVSS 2.0 score greater than 4 and less than 7. This is the range that is considered Medium in NVD.
   2. A similar vulnerability is ranked as medium, moderate, important, or any other term of similar meaning in any widely recognized and reputable vulnerability database or vulnerability report produced by a widely recognized and reputable vendor.
   3. OneStopAppSecurity.com considers the problem to be moderate.

5. If there is a disagreement between OneStopAppSecurity.com and the customer as to whether any of the acceptance criteria are met, the client has the responsibility to explain to and discuss with OneStopAppSecurity.com why they feel the conditions were not met. After the earlier of the end of five working days (defined as days when the client is available, able and willing to discuss any disagreements and it is a workday for OneStopAppSecurity.com) or after a mutually agreed-upon reasonable discussion has taken place, if there is still disagreement about whether any of the acceptance criteria have been met or not, the customer will have final say as to whether they pay and, if so, how much they pay for the assessment. The customer gets to keep all deliverables from the No-Risk Security Assessment independent of the amount they pay. Besides not having to pay, there are two ramifications to a disagreement about whether the acceptance criteria was met or not:

   1. In order to maintain the reputability of OneStopAppSecurity.com, the customer is not allowed to state, in any way, that they passed a security assessment by OneStopAppSecurity.com.
   2. OneStopAppSecurity.com may choose not to work with the customer in the future.

6. Prior to beginning a No-Risk Assessment, there will be a written contract that is agreed upon and signed by both OneStopAppSecurity and the customer. This contract will be the sole agreement between OneStopAppSecurity.com and the customer with respect to the No Risk Security Assessment. Any other statements, guarantees or commitments of any type, whether made explicitly or implicitly, via any medium including but not limited to verbal, written, email, or web posting is non-binding unless explicitly stated otherwise in the contract.

7. Due to the shortness of time of a No-Risk Security Assessment, OneStopAppSecurity.com may need to limit the scope of security assessments. All such limitations will be agreed upon by both parties prior to the beginning of the No-Risk Security Assessments and documented in the contract.

8. Should OneStopAppSecurity.com limit the scope of a No-Risk Assessment, with the mutual agreement of OneStopAppSecurity.com and the customer, any the assessment scope can be increased for a fee. This agreement must occur prior to the signing of the No-Risk Security Assessment contract where the scope of the assessment and the fee agreements must be included.

9. A half-time and half-cost variant of the No-Risk Security Assessment referred to as the No-Risk Security Assessment Lite may be available upon request. The No-Risk Security Assessment Lite is four (4) hours of consulting time at a flat fee of $1,000.

10. With the exception of time, cost and acceptance criteria, all definitions and conditions of the No-Risk Security Assessment are the same.

11. A No-Risk Security Assessment Lite will be free if neither of the following acceptance criteria are met:

    1. The assessment identifies at least one (1) significant security flaws, issues, vulnerabilities, architecture problems, exposures, risks, etc…
    2. The assessment identifies at least two (2) moderate security flaws, issues, vulnerabilities, architecture problems, exposures, risks, etc…

12. OneStopAppSecurity.com reserves the right to refuse to begin a No-Risk Security Assessment due to scheduling difficulties, concerns about abuse of the No-Risk policy by the customer or any other reason that OneStopAppSecurity.com decides upon. Furthermore, OneStopAppSecurity.com is under no obligation to explain its decision to refuse accepting a No-Risk Security Assessment.