Net security part-time pricing is not false! 3 formulas calculate prices that are not priced on the

Net security part-time pricing is not false! 3 formulas calculate prices that are not priced on the a side

In the past, when the gap report was shared, many of our friends complained in private: “it was hard to get a bill, the price was higher, the a side did not respond directly, the a side did not pay for it, and it was too late to pay for it”: “the a side panics as soon as the price is cut, not knowing whether to insist or compromise”。

In fact, part-time pricing for cybersecurity is not a "headshot," but a scientific logic of "a side that can accept and not lose" -- the money that a side is willing to pay, essentially the balance between "the cost of repairing the loophole" and "the loss of repair." today i'll teach you three price formulas that can be used directly, with quotation reference tables for different loopholes, different scenarios, and counter-offer techniques, so that you can give you little price cut-off on the one side and feel "value"

First, understand: why not accept your offer? Three price-fixing pits for starters

Before learning the formula, avoid the three price miscalculations that make you "show or lose." these are the pits i stepped on when i first worked part-time:

Pit 1: "feel" price, no anchor

The rookies often say, "others report 3k, i report 2. 5k, but they don't say exactly what “2. 5k contains" -- for example, someone else 3k has a "facility detection + repair code + 1 week of follow-up verification," you 2. 5k only has a "facility report," and the a side thinks, "you're cheaper than others, but you're less expensive, you're less than you are."。

Pipe 2: look only at the “number of holes”, not at the “business impact”

Similarly, sql injects holes, and the risks of the electrician website (which involves orders, payments) and the business network (which displays only information) are completely different. "one high-risk loophole 2k" is priced by a rookie, and the electrician a thinks it's too cheap to measure it all, and the official network a thinks it's too expensive for me to lose。

Pit 3: you can't report the premium, you can compromise if you're cut

When a says, "someone else only reports 1. 8k, can you drop it?" the newcomer immediately says, "that's 1. 5k, too" -- later on, there were more loopholes than expected, overtime reports were put on time, and most regret was that it wasn't supposed to。

A price-fixing formula (with actual cases)

The core logic of pricing is price = base cost + risk premium + service value added. The next three formulas cover 90% of the part-time scene, just a new handbag。

Formula 1: single gap pricing formula (suitable for "single gap + report" scene)

Application scenario: the a side only allows you to measure one module (e. G., "is there a sql injection on the official login page" or "is there a file upload loophole"。

Formula: single gap price = base price x leakage grade factor x business impact factor

Parameter description:

Parameter value standard

Base price

Low-risk loophole: $500; medium-risk hole: $1,000; high-risk loophole: $2,000 (industry reference price)

Gap rating factor

Low risk: 0. 8; medium risk: 1. 0; high risk: 1. 5; severe (e. G. By remote command): 2. 0 (ranked by cvss)

Operational impact factor

Non-core operations (e. G. Enterprise blogs): 0. 8; core operations (e. G., electrician orders / educational achievement / payments): 1. 2-1. 5

Field cases: electronics login page sql injecting (high-risk) pricing formula 2: full penetration project pricing formula (suitable to a “web site-wide penetration” scenario)

Appliance scenario: a tells you to measure the entire website (e. G., "officer web + user center + backstage management system") and needs full penetration reports with multiple loopholes。

Formula: full project price = (total module base price) x complexity factor + value added service price

Parameter description:

Standard for taking the complexness factor for the base price of the module (new reference)

Web frontend

1500 yen (test xss/csrf/ jump gap)

Simple (static page): 0. 9; medium (interactive, e. G. Login/ registration): 1. 0; complex (framework, e. G. Vue/react): 1. 2

Backstage management system

2000 dollar (exceed/ injection/ upload)

Simple (10 in-house functional modules): 1. 0; medium (10-20 modules): 1. 2; complex (20 or more + privileges): 1. 5

Server security

1,500 yuan (detection port/ weak password/ configuration gap)

Simple (one server): 0. 9; medium (within 3): 1. 0; complex (more than 3 + cloud servers): 1. 2

Value-added services

Fix code: 500 yuan/ gap; follow-up validation: 300 yuan/ few times

Add as needed, for example, "add 500 dollars to 3 high-risk loopholes for repair codes."

Field cases: full penetration of educational platforms (with 3 modules) pricing

Sum of module base price: 1500 + 2000 + 1500 = 5,000 yuan

Complexity factor: 1. 2 (web front end) x 1. 2 (backstage) x 0. 9 (server) = 1. 296 (take 1. 3)

Value added services price: 500 x 2 = 1000 yuan

Total pricing: 5000 x 1. 3 + 1000 = 7,500 yuan

Formula 3: accelerator bill pricing formula (fits the "a" fast scenario)

Applying the scene: a says, "three days to report, one week to normal, and you need to work overtime."。

Formula: a unit rate = a general price x an emergency factor + cost reimbursement

Parameter description:

Description of cost reimbursement for exigency time plus exigency factor (optional)

1/2 of regular time (e. G. 7 days 3 days)

1. 5

$200-300

For example, for the weekend break, an "$200 overtime allowance" could be added, but it's to say, "to compensate for time costs, not to add extra money."

General time 1/3 (as 7 days and 2 days)

2. 0

300-500 yuan

Suitable for emergencies (e. G., a to catch up) but in advance, “may reduce some non-core testing items and prioritize detection of high-risk gaps”

Case of actual combat: rapid penetration of the network of business officials (7 days and 3 days) price-fixing iii, different loopholes / frame of reference (direct copy not counted)

In order to make it easier for you, i have prepared a reference table for the 2024 part-time online security offer, which is classified as "the type of loophole" and "the business scene" and allows the newcomer to directly match the target:

Table 1: services are included in the basic offers (single, non-core operations) for different types of loopholes

Sql injection

High risk

7. 0-8. 9

2,500-3500

Revert report + fix code (pdo / parametric query) +1 validation

Uploading files

High risk

7. 0-8. 9

2300-3200

Revert report + file validation code (suffix/ type verify) +1 validation

Horizontal override

It's dangerous

4. 0-6. 9

1200-1800

Revert report + permission validation log + 1 validation

Xss (storage)

It's dangerous

4. 0-6. 9

1000-1500

Revert report + enter filter code + 1 validation

Weak password (administrator)

Low risk

0. 1-3. 9

600-10000

Report + password complexity recommendation + weak password dictionary

Server port open

Low risk

0. 1-3. 9

500-800

Report + port closing command (linux/ windows)

Table 2: full project quotations for different business scenarios (3 modules, regular time)

Network of business officials (presentation)

Simple

40000-6000

Web frontend + backstage + 1 server, focus on injection/ upload

Electrician website (small volume)

Medium

6000-9000

Web + backstage + 2 servers (web/ database), focus on payments/ orders leak hole

Education platform (k12)

Medium

7000-10000

Web + backstage + 2 servers focusing on results/ parent information leak

Applet (tool class)

Complex

8000-12000

Frontend (small program) + backend api+2 servers, focus on overstepping interface / data disclosure

Iv. Three words to deal with acoustic price cutting

When you meet a, you say, "can it be cheaper?" don't panic. Use these three words, you don't have to reduce prices

Phrase 1: emphasis on “service value added”, not talk of “price reduction” trick 2: split “basic version / complete version” to select phrase 3: use the “risk” anchor to set the price, and allow the a to calculate the three pits (not to make small profit) to be avoided by the newer

Do not report “1 high-risk loophole of $800”, which is more complicated than expected, and the overtime report is not profitable, and is even required by the a side to “fell-for-work other modules” - pricing must cover at least the “time cost” (e. G., you have a value of $500 a day, measuring a loophole of three days and the base price cannot be less than $1,500)。

Pit 2: start without a service agreement

After pricing, an agreement must be signed to clarify “the range of services (which modules are measured, which are not included), the timing of delivery, the mode of settlement (e. G. 50 per cent advance, 50 per cent after delivery), additional service rates (e. G., how much money is added to the accelerated/calculated module)” - to avoid subsequent demand from a for which money is not paid, or for which money is outstanding。

Pit 3: neglected after-sale costs

The offer is to set aside “post-sale time”, such as “one free validation after repair” and not to overload the time -- if there's any doubt that you can respond in time after repair, otherwise the a will feel, “you'll pay nothing”, and not next time。

Free pricing toolkit (direct, not counting)

To help you fast-track pricing, i've assembled the cybersecurity part-time pricing toolkit, which contains:

(a) pricing calculator excel template: enter "face level, business scene, rush time" to calculate the price and generate a detailed list

(a) full version of the quoting reference table: a detailed proposal containing 10 loopholes, 5 business scenarios, marked as “negotiable space” (e. G. High-risk loopholes can be reduced by 10 per cent, low-risk loopholes are not recommended for reduction)

(a) service agreement template, which contains core provisions such as “cover of services, settlements, after-sale”, which can be changed directly from a to a

Manual on dialogue techniques: 10 types of dialogue techniques (e. G., “the budget is not enough” “others are cheaper”) are applied directly。

Access: focus on my sdn account, private mail replying “pricing tool”, automatically sent (unset, not forwarded)。

And finally, at the heart of the pricing is, "let's make a feel 'value', not 'cheap'."

Many beginners think that "the lower the price, the easier it is to take the order," but in fact, the a side is looking for part-time jobs, and it's not "high," but it's "costed to solve the problem." when you use the formula to calculate the price, with a clear breakdown of the service, a risk analysis for the business, the a side would think, "you're a professional, you spend the money to avoid subsequent trouble," and naturally, the price would rarely be cut。

I'm now on the list, with these three formulas, and the cut-off rate has dropped from 60 percent to 15 percent, and the old client's list, basically, doesn't have to talk about the price -- because they know, "what kind of service is my offer?" if you have problems with pricing (e. G., you don't know how to get an impact factor), you can ask in the comment area, and i'll answer