Warning ⚠️: Not a new bounty writeup We auditors all like to focus on the juicy crits and keep non-tech work to a minimum. Who cares about paperwork and meetings when you just found a novel way to drain a DeFi contract? But all things should be done in moderation, and too often we see independent researchers totally skimp on getting even a basic agreement signed with the client. This was something we also did in the first months of TrustSec - hook up with a client on TG / discord, discuss team, price and timeline, and just get started. Felt smooth and frictionless, so what's the issue? As with many things, it works well till it doesn't. When you manage 50+ audits a year, you start running into edge cases. And when you do, having things cleared out ahead of time avoids a ton of friction at potentially sensitive points in the audit timeline. See, the point of a services agreement is not that it can be litigated at a court thousands of miles from your current location. Sure, in the worst case, it possibly can be. But mostly it's done to line up expectations from both sides, a way to force two sides to talk about details they otherwise wouldn't. Here's just a few scenarios that have come up, and should be explicitly handled: - Client is not ready with final commit before start date. - For unforeseen reasons, one or more auditors are not available for part of, or the entire audit window. - Final scope requires longer review time, increasing costs. - Debating on which tool and formatting is used to count final SLOC. - Client introduces new functionality for review in the fix audit. - Asking for payment to be sent only after report delivery. - Client wishes to cancel the audit with just 24 hr prior notice. - Client wishes to send payment on their preferred blockchain. - Objections about the report being published after an acceptable wait period. Aside from making it clear how to handle these scenarios, an agreement also provides auditors with critical protection: - Waives any responsibility for missed bugs & exploits. - Maintains IP rights on tools, attack concepts developed during the audit (to the extent the law permits). - Arranges for down payments, cancellation fees and so on. - Meets due diligence requirements, KYB and legal framework. This is relevant for taxation, compliance, and source of funds requirements. For those reasons, we quickly found that spending a bit of extra time before getting things booked is well worth it, and we encourage every auditor running a legitimate business to do the same.