Unlike most companies, we only charge for what we actually discover. Rates are based on the vulnerability's risk:
|Vulnerability Risk||Payment (NZD)||Definition|
|Low||$299||Exploitable only under rare circumstances/Minor damage|
|Medium||$999||Exploitable under possible circumstances/Moderate damage|
|High||$1999||Exploitable under most circumstances/High damage|
Risk ratings are based on the following clearly defined criteria:
A vulnerability is considered low risk if it can only be exploited under rare conditions, and/or the damage caused by an attacker exploiting the vulnerability would be minor. For example, using out of date software that is not exploitable in it's current configuration, but could become exploitable if configuration changed, is rated as low risk.
A vulnerability is considered medium risk if it can be exploited under possible conditions, and/or the damage caused by an attacker exploiting the vulnerability would be moderate. For example, if users are allowed to choose weak passwords, and no account lock out occurs when a brute force login attack is attempted, this is rated as medium risk.
A vulnerability is considered high risk if it can be exploited under most conditions, and/or the damage caused by an attacker exploiting the vulnerability would be significant. For example, cross site scripting that allows an attacker to take over a user's account is rated as high risk.
If your company has a limited budget, a maximum threshold can be set before testing starts, if the amount of vulnerabilities reaches this threshold, we will stop testing to avoid budget overruns.