Provecore

Legal

Authorized Testing Policy

Last updated: April 2026

Authorization Requirement

Provecore conducts security testing exclusively under written authorization from an authorized representative of the target organization. Testing does not begin until a signed Rules of Engagement document is received from a person with authority to authorize the testing.

No verbal authorization, email confirmation, or informal agreement is sufficient. Testing begins only after a signed, written authorization document is in place.

Scope Limitation

All testing is conducted strictly within the scope defined in the agreed Rules of Engagement. We do not test, access, or interact with systems, endpoints, or data outside the agreed scope, regardless of discovery during testing.

If a potential vulnerability is identified that appears to extend beyond the agreed scope, we report it to the client and pause investigation pending written authorization to expand scope.

No Destructive Actions

We do not perform actions that could cause service disruption, data loss, or data corruption unless explicitly authorized in writing by the client. This includes:

  • Deleting or modifying production data
  • Disrupting service availability
  • Causing denial-of-service conditions
  • Exfiltrating sensitive data beyond what is required to demonstrate a finding

Any exploit that requires destructive action to prove requires explicit written authorization before execution.

Data Handling

Any data accessed during testing is handled confidentially and used only for the purpose of documenting findings. Test credentials, API keys, and tokens are not stored beyond the engagement period and are destroyed on engagement completion.

Sensitive data discovered during testing (PII, credentials, payment data) is documented by type and location in findings — we do not capture, copy, or retain the content of the data itself beyond minimum necessary evidence.

No Unauthorized Testing

Provecore does not conduct, offer, or facilitate unauthorized security testing against any system. Any request to test systems without proper authorization will be declined.

Social Engineering

Social engineering, phishing, or physical security testing are not conducted unless explicitly scoped and authorized in writing in the Rules of Engagement. These activities are never included by default.

Third-Party Systems

Testing that may interact with third-party systems, cloud providers, or shared infrastructure requires written confirmation from the client that they have authority to authorize testing of those systems, or that testing will be limited to avoid impacting shared infrastructure.

Contact

For questions about our testing policies or to report concerns: security@provecore.com