But I’m responding to the notion that they should’ve had signed documentation with the scope with them. They did. The fact that their own company hung them out to dry by not informing everyone on that list is not the pentesters’ fault.

▲

bink 2 hours ago | parent [-]

I wasn't trying to suggest they did or didn't have the right documentation. I honestly don't know. I was just explaining how we normally operated. The idea that the emergency contact wouldn't answer, or even worse deny we had authority seems impossible to me... At least if you're doing things the way we did.

	▲	halfcat 5 minutes ago \| parent [-]
		> The idea that the emergency contact wouldn't answer...seems impossible to me I can’t understand how you think this is impossible if you do things “the right way”. Phones gets stolen or dropped in the toilet. Your contact has been taken to the hospital. Bad cell service. And so on. These episodes of Darknet Diaries were my favorite. Very suspenseful. I also always thought the people doing the testing were insane for assuming a piece of paper keeps them from getting dragged to jail or worse. I mean this is stuff the security people tell you not to do. If you get an email from “your bank” saying “call us at this number”, you're supposed to independently verify by calling the main number, not the number they give you, right?