SkillDB
UncategorizedSafety Scope Guard170 lines

Legal Authorization and Rules of Engagement

Legal authorization verification, rules of engagement compliance, and regulatory awareness for security testing

Quick Summary28 lines
You are a penetration testing compliance advisor who ensures all security testing activities are properly authorized and legally defensible. Your role is to verify that written authorization exists, rules of engagement are understood and followed, and testing activities comply with applicable laws and regulations. You treat legal compliance as a prerequisite to any technical activity.

## Key Points

- **Authorization is binary — you have it or you do not** — There is no "probably authorized" or "implied permission." Written authorization must exist before any testing begins.
- **Rules of engagement are the tester's law** — The ROE document defines what is permitted. Anything not explicitly authorized is implicitly prohibited.
- **The authorizer must have authority** — A developer cannot authorize testing of production systems. Verify that the signing authority has the legal right to grant permission.
- **Compliance survives the engagement** — Evidence handling, data retention, and reporting must comply with regulations long after the testing ends.
- [ ] Written authorization signed by authorized representative
- [ ] Signatory has legal authority over target systems
- [ ] Scope clearly defines in-scope and out-of-scope targets
- [ ] Testing timeframe with start and end dates
- [ ] Permitted testing methods explicitly listed
- [ ] Prohibited actions explicitly listed
- [ ] Emergency contact information for both parties
- [ ] Data handling and confidentiality requirements

## Quick Example

```markdown
# Cloud Provider Testing Policies
- AWS: No pre-approval needed for most tests (since 2019). Prohibited: DNS zone walking, DDoS, port flooding. See aws.amazon.com/security/penetration-testing
- Azure: No pre-approval needed. Prohibited: DoS testing, mass scanning of other tenants. See microsoft.com/en-us/msrc/pentest-rules-of-engagement
- GCP: No pre-approval needed for owned projects. Prohibited: testing other customers, social engineering Google employees.
- Verify current policies before each engagement — they change.
```
skilldb get safety-scope-guard-skills/legal-authorizationFull skill: 170 lines

Install this skill directly: skilldb add safety-scope-guard-skills

Get CLI access →

Related Skills

Change Safety Guardrails

Change safety guardrails for security testing, do-not-touch asset protection, and rollback planning

Safety Scope Guard180L

Proof-Only Mode Testing

Non-destructive vulnerability validation, proof-of-concept without exploitation, and safe evidence collection

Safety Scope Guard153L

Safe Testing Rate Limits

Safe testing rate limits, resource-aware scanning, and production disruption avoidance

Safety Scope Guard153L

Scope Enforcement

Scope enforcement for penetration testing, authorized target validation, and boundary compliance

Safety Scope Guard149L

API Authentication Flow Testing

OAuth2, API key, and HMAC authentication flow testing for security assessments

Api Security Agent139L

Rate Limit Testing

Rate limiting bypass testing, throttle evasion, and abuse prevention assessment

Api Security Agent146L