veza/docs/PENTEST_SEND_PACKAGE.md

# Pentest send package — v2026 engagement

> Operational checklist for handing off the v1.0.9 pre-launch pentest
> brief to the external team. Companion to `docs/PENTEST_SCOPE_2026.md`
> (the technical scope) — this doc is purely "what you send, in what
> order, via which channel."

The scope doc is technical and reusable across engagements. This file
is the per-engagement "send package" that wraps it: the email template,
the credentials-delivery plan, the IP allow-list step, and the kick-off
checklist.

## The 5-step send sequence

Run these in order. Each step has a check (✓) the operator ticks before
moving to the next — out-of-order steps cause the engagement to stall.

### Step 1 — counter-sign the NDA + authorisation letter

- [ ] NDA template signed by the pentester firm and counter-signed by us.
- [ ] Authorisation-to-test letter signed by Veza tech lead (limits the
      scope to what's in `PENTEST_SCOPE_2026.md` §"In-scope assets" — the
      letter MUST list the staging URL explicitly so a reviewer can map
      pentester traffic to authorised activity).
- [ ] Both PDFs uploaded to the shared 1Password vault (entry name :
      `pentest-2026-legal`). Do **not** email PDFs.

### Step 2 — provision pentester credentials

- [ ] Run `bash scripts/pentest/seed-test-accounts.sh staging` (creates
      the 3 accounts from `PENTEST_SCOPE_2026.md` §"Authentication
      context", outputs random passwords).
- [ ] Output passwords land in three 1Password entries :
      `pentest-2026-listener`, `pentest-2026-creator`, `pentest-2026-admin`.
      Each entry's "Notes" field includes the role and the MFA bypass
      token if applicable.
- [ ] Share each entry **read-only** with the pentester's 1Password
      account using the firm's billing email. Do **not** put passwords
      in chat, email, or shell history.
- [ ] Set entry expiration to engagement-end + 7 days (so cleanup is
      automatic if the team forgets to revoke).

### Step 3 — allow-list the pentester's IP

The Forgejo source-code mirror at `https://10.0.20.105:3000/senke/veza`
is grey-box read-only access. The pentester needs their static
egress IP allow-listed before they can `git clone`.

- [ ] Pentester sends their static egress IP (PGP-signed mail, or
      1Password Notes field).
- [ ] SSH to `srv-102v` (Forgejo container) and add the IP to
      `/etc/forgejo/allowlist.conf`.
- [ ] `systemctl reload forgejo`.
- [ ] Verify : `curl -I https://10.0.20.105:3000/senke/veza` from the
      pentester IP returns 200 ; from any other IP, 403.

(A future iteration could turn this into an Ansible playbook
`infra/ansible/playbooks/pentest_allowlist_ip.yml`. For now the manual
SSH path is fine — this happens once per engagement.)

### Step 4 — send the kick-off email

Use the template below. Replace the placeholders inside `<…>`. Send
PGP-encrypted (the pentester's key is in their security.txt) to
**both** their lead pentester and their project manager so the chain
of responsibility is recorded.

```text
Subject : [PENTEST] Veza v1.0.9 pre-launch engagement — kick-off

Hi <lead pentester first name>,

Per the signed scope letter dated <YYYY-MM-DD>, the Veza v1.0.9
pre-launch pentest engagement starts on <YYYY-MM-DD>. The brief is
attached as PENTEST_SCOPE_2026.md (see also the rendered HTML at
https://staging.veza.fr/legal/pentest-scope-2026.html).

Quick links :

  • Staging URL  : https://staging.veza.fr
  • Source code  : https://10.0.20.105:3000/senke/veza
                   (grey-box, read-only ; your egress IP <PENTESTER_IP>
                    has been allow-listed as of <YYYY-MM-DD HH:MM UTC>.)
  • Status page  : https://status.veza.fr (we'll lower the alert
                    threshold during your engagement so the SOC isn't
                    paged on every benign 401).
  • Test accounts: shared with your firm's 1Password — entries
                    pentest-2026-{listener,creator,admin}. Passwords
                    expire <engagement_end + 7d>.

Engagement window :

  • Start  : <YYYY-MM-DD>
  • End    : <YYYY-MM-DD>  (~10 business days)
  • Re-test: 1 round, after our team's fix pass (typically 2 weeks
              after the initial report)

Communications :

  • Async       : security@veza.fr (PGP fingerprint at
                   https://veza.fr/.well-known/security.txt)
  • Weekly sync : <weekday HH:MM TZ>, video link in the calendar invite
  • Critical findings : phone the on-call number in the contract
                         (HIGH severity = phone, not email)

Expected deliverables :

  • Initial findings report (markdown or PDF) at engagement end
  • Re-test report after our fix pass
  • Optional : exec-level summary slide deck

Reach out if anything in PENTEST_SCOPE_2026.md is unclear before
day 1. Otherwise — good hunting.

Best,
<Tech lead name>
Veza
```

- [ ] Email PGP-signed and sent.
- [ ] Calendar invite sent for the weekly sync.
- [ ] Slack/Signal channel created for HIGH-severity escalation
      (channel naming : `#pentest-2026-veza`).

### Step 5 — lower the SOC alerting threshold

During the engagement, automated scanners and authentication
brute-force attempts WILL fire alerts. Tune them down so the on-call
isn't paged on every legitimate pentester action.

- [ ] In `config/prometheus/alert_rules.yml` → `HighErrorRate`,
      `HighLatencyP99` : add a `for: 30m` override OR mute via
      Alertmanager silence (recommended: silence rather than edit
      rules so the change auto-expires at engagement end).
- [ ] Silence URL : `https://prometheus.veza.fr/alertmanager/#/silences/new`
      → matchers: `severity=warning`, comment: `pentest-2026 active`,
      duration: `engagement_end + 24h`.
- [ ] Subscribe the engagement Slack channel to the silence's
      auto-removal so the SOC knows when the heightened alerting
      resumes.

## Reception checklist (after pentester confirms receipt)

- [ ] Pentester replied to the kick-off email within 1 business day.
- [ ] Pentester confirmed they can `git clone` the source repo.
- [ ] Pentester confirmed they can log in as each of the 3 test
      accounts.
- [ ] Pentester confirmed the staging URL responds (`/api/v1/health`
      returns 200).
- [ ] First findings — even informational — start landing in the
      shared report by end of engagement day 3 (a complete silence
      until the final report is a process smell).

If any reception checklist item fails after 24h, the engagement
hasn't really started. Phone the firm's PM, don't email.

## Post-engagement housekeeping

- [ ] Findings report received → import into the issue tracker as
      separate tickets, severity preserved, attribution
      `external-pentest-2026`.
- [ ] Fix pass scheduled and timeboxed (HIGH within 1 week, MEDIUM
      within 4 weeks, LOW best-effort).
- [ ] Re-test scheduled 2 weeks after fix-pass start.
- [ ] Re-test report received → update the ticket statuses ; any
      remaining unresolved finding above LOW blocks v2.0.0-public.
- [ ] Test accounts' passwords manually rotated **the day the
      engagement ends** (don't wait for 1Password's auto-expiry).
- [ ] Pentester IP removed from Forgejo allow-list.
- [ ] Alertmanager silence removed (should auto-remove, but verify).
- [ ] Engagement folder zipped and stored at
      `docs/archive/pentest-2026/` (kept 5 years for audit trail).
- [ ] Public summary blog post drafted (no findings details, just the
      "we did this, here's what we learned" framing). Reviewed by
      legal before publish.

## Linked artefacts

- `docs/PENTEST_SCOPE_2026.md` — the technical scope (what's testable)
- `docs/SECURITY_PRELAUNCH_AUDIT.md` — internal Day 21 audit (what we
  already cleared)
- `docs/archive/PENTEST_REPORT_VEZA_v0.12.6.md` — last engagement's
  report, format reference for what to expect back
- `scripts/pentest/seed-test-accounts.sh` — credential provisioning
  helper (creates the 3 staging accounts referenced in the scope)
- `docs/GO_NO_GO_CHECKLIST_v2.0.0_PUBLIC.md` — the row this engagement
  unblocks
docs(pentest): add send-package SOP + seed-test-accounts helper The pentest scope doc (PENTEST_SCOPE_2026.md) is the technical brief — what's testable, what's out, what to focus on. But it doesn't tell the operator HOW to send the engagement off : credentials delivery plan, IP allow-list step, kick-off email template, alert-tuning during the engagement window. So historically each engagement has been a one-off that depends on whoever was on duty remembering the last time. Added : * docs/PENTEST_SEND_PACKAGE.md — 5-step send sequence (NDA → credentials → IP allow-list → kick-off email → alert tuning), reception checklist, and post-engagement housekeeping. Email template inline so it's grep-able and version-controlled. * scripts/pentest/seed-test-accounts.sh — provisions the 3 staging accounts (listener/creator/admin) referenced by §"Authentication context" of the scope doc. Generates 32-char random passwords, probes each by login, emits 1Password import JSON to stdout (passwords NEVER printed to the screen). Refuses to run against any env that isn't "staging". The send-package doc references one helper that doesn't exist yet : * infra/ansible/playbooks/pentest_allowlist_ip.yml — Forgejo IP allow-list automation. Punted to a follow-up because the manual SSH path is fine for once-per-engagement use and Ansible formalisation deserves its own commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-30 20:29:35 +00:00			`# Pentest send package — v2026 engagement`

			`> Operational checklist for handing off the v1.0.9 pre-launch pentest`
			> brief to the external team. Companion to `docs/PENTEST_SCOPE_2026.md`
			`> (the technical scope) — this doc is purely "what you send, in what`
			`> order, via which channel."`

			`The scope doc is technical and reusable across engagements. This file`
			`is the per-engagement "send package" that wraps it: the email template,`
			`the credentials-delivery plan, the IP allow-list step, and the kick-off`
			`checklist.`

			`## The 5-step send sequence`

			`Run these in order. Each step has a check (✓) the operator ticks before`
			`moving to the next — out-of-order steps cause the engagement to stall.`

			`### Step 1 — counter-sign the NDA + authorisation letter`

			`- [ ] NDA template signed by the pentester firm and counter-signed by us.`
			`- [ ] Authorisation-to-test letter signed by Veza tech lead (limits the`
			scope to what's in `PENTEST_SCOPE_2026.md` §"In-scope assets" — the
			`letter MUST list the staging URL explicitly so a reviewer can map`
			`pentester traffic to authorised activity).`
			`- [ ] Both PDFs uploaded to the shared 1Password vault (entry name :`
			`pentest-2026-legal`). Do not email PDFs.

			`### Step 2 — provision pentester credentials`

			- [ ] Run `bash scripts/pentest/seed-test-accounts.sh staging` (creates
			the 3 accounts from `PENTEST_SCOPE_2026.md` §"Authentication
			`context", outputs random passwords).`
			`- [ ] Output passwords land in three 1Password entries :`
			`pentest-2026-listener`, `pentest-2026-creator`, `pentest-2026-admin`.
			`Each entry's "Notes" field includes the role and the MFA bypass`
			`token if applicable.`
			`- [ ] Share each entry read-only with the pentester's 1Password`
			`account using the firm's billing email. Do not put passwords`
			`in chat, email, or shell history.`
			`- [ ] Set entry expiration to engagement-end + 7 days (so cleanup is`
			`automatic if the team forgets to revoke).`

			`### Step 3 — allow-list the pentester's IP`

			The Forgejo source-code mirror at `https://10.0.20.105:3000/senke/veza`
			`is grey-box read-only access. The pentester needs their static`
			egress IP allow-listed before they can `git clone`.

			`- [ ] Pentester sends their static egress IP (PGP-signed mail, or`
			`1Password Notes field).`
			- [ ] SSH to `srv-102v` (Forgejo container) and add the IP to
			`/etc/forgejo/allowlist.conf`.
			- [ ] `systemctl reload forgejo`.
			- [ ] Verify : `curl -I https://10.0.20.105:3000/senke/veza` from the
			`pentester IP returns 200 ; from any other IP, 403.`

			`(A future iteration could turn this into an Ansible playbook`
			`infra/ansible/playbooks/pentest_allowlist_ip.yml`. For now the manual
			`SSH path is fine — this happens once per engagement.)`

			`### Step 4 — send the kick-off email`

			Use the template below. Replace the placeholders inside `<…>`. Send
			`PGP-encrypted (the pentester's key is in their security.txt) to`
			`both their lead pentester and their project manager so the chain`
			`of responsibility is recorded.`

			```text
			`Subject : [PENTEST] Veza v1.0.9 pre-launch engagement — kick-off`

			`Hi <lead pentester first name>,`

			`Per the signed scope letter dated <YYYY-MM-DD>, the Veza v1.0.9`
			`pre-launch pentest engagement starts on <YYYY-MM-DD>. The brief is`
			`attached as PENTEST_SCOPE_2026.md (see also the rendered HTML at`
			`https://staging.veza.fr/legal/pentest-scope-2026.html).`

			`Quick links :`

			`• Staging URL : https://staging.veza.fr`
			`• Source code : https://10.0.20.105:3000/senke/veza`
			`(grey-box, read-only ; your egress IP <PENTESTER_IP>`
			`has been allow-listed as of <YYYY-MM-DD HH:MM UTC>.)`
			`• Status page : https://status.veza.fr (we'll lower the alert`
			`threshold during your engagement so the SOC isn't`
			`paged on every benign 401).`
			`• Test accounts: shared with your firm's 1Password — entries`
			`pentest-2026-{listener,creator,admin}. Passwords`
			`expire <engagement_end + 7d>.`

			`Engagement window :`

			`• Start : <YYYY-MM-DD>`
			`• End : <YYYY-MM-DD> (~10 business days)`
			`• Re-test: 1 round, after our team's fix pass (typically 2 weeks`
			`after the initial report)`

			`Communications :`

			`• Async : security@veza.fr (PGP fingerprint at`
			`https://veza.fr/.well-known/security.txt)`
			`• Weekly sync : <weekday HH:MM TZ>, video link in the calendar invite`
			`• Critical findings : phone the on-call number in the contract`
			`(HIGH severity = phone, not email)`

			`Expected deliverables :`

			`• Initial findings report (markdown or PDF) at engagement end`
			`• Re-test report after our fix pass`
			`• Optional : exec-level summary slide deck`

			`Reach out if anything in PENTEST_SCOPE_2026.md is unclear before`
			`day 1. Otherwise — good hunting.`

			`Best,`
			`<Tech lead name>`
			`Veza`
			```

			`- [ ] Email PGP-signed and sent.`
			`- [ ] Calendar invite sent for the weekly sync.`
			`- [ ] Slack/Signal channel created for HIGH-severity escalation`
			(channel naming : `#pentest-2026-veza`).

			`### Step 5 — lower the SOC alerting threshold`

			`During the engagement, automated scanners and authentication`
			`brute-force attempts WILL fire alerts. Tune them down so the on-call`
			`isn't paged on every legitimate pentester action.`

			- [ ] In `config/prometheus/alert_rules.yml` → `HighErrorRate`,
			`HighLatencyP99` : add a `for: 30m` override OR mute via
			`Alertmanager silence (recommended: silence rather than edit`
			`rules so the change auto-expires at engagement end).`
			- [ ] Silence URL : `https://prometheus.veza.fr/alertmanager/#/silences/new`
			→ matchers: `severity=warning`, comment: `pentest-2026 active`,
			duration: `engagement_end + 24h`.
			`- [ ] Subscribe the engagement Slack channel to the silence's`
			`auto-removal so the SOC knows when the heightened alerting`
			`resumes.`

			`## Reception checklist (after pentester confirms receipt)`

			`- [ ] Pentester replied to the kick-off email within 1 business day.`
			- [ ] Pentester confirmed they can `git clone` the source repo.
			`- [ ] Pentester confirmed they can log in as each of the 3 test`
			`accounts.`
			- [ ] Pentester confirmed the staging URL responds (`/api/v1/health`
			`returns 200).`
			`- [ ] First findings — even informational — start landing in the`
			`shared report by end of engagement day 3 (a complete silence`
			`until the final report is a process smell).`

			`If any reception checklist item fails after 24h, the engagement`
			`hasn't really started. Phone the firm's PM, don't email.`

			`## Post-engagement housekeeping`

			`- [ ] Findings report received → import into the issue tracker as`
			`separate tickets, severity preserved, attribution`
			`external-pentest-2026`.
			`- [ ] Fix pass scheduled and timeboxed (HIGH within 1 week, MEDIUM`
			`within 4 weeks, LOW best-effort).`
			`- [ ] Re-test scheduled 2 weeks after fix-pass start.`
			`- [ ] Re-test report received → update the ticket statuses ; any`
			`remaining unresolved finding above LOW blocks v2.0.0-public.`
			`- [ ] Test accounts' passwords manually rotated **the day the`
			`engagement ends** (don't wait for 1Password's auto-expiry).`
			`- [ ] Pentester IP removed from Forgejo allow-list.`
			`- [ ] Alertmanager silence removed (should auto-remove, but verify).`
			`- [ ] Engagement folder zipped and stored at`
			`docs/archive/pentest-2026/` (kept 5 years for audit trail).
			`- [ ] Public summary blog post drafted (no findings details, just the`
			`"we did this, here's what we learned" framing). Reviewed by`
			`legal before publish.`

			`## Linked artefacts`

			- `docs/PENTEST_SCOPE_2026.md` — the technical scope (what's testable)
			- `docs/SECURITY_PRELAUNCH_AUDIT.md` — internal Day 21 audit (what we
			`already cleared)`
			- `docs/archive/PENTEST_REPORT_VEZA_v0.12.6.md` — last engagement's
			`report, format reference for what to expect back`
			- `scripts/pentest/seed-test-accounts.sh` — credential provisioning
			`helper (creates the 3 staging accounts referenced in the scope)`
			- `docs/GO_NO_GO_CHECKLIST_v2.0.0_PUBLIC.md` — the row this engagement
			`unblocks`