Oracle Cloud Security Testing Policies

This section describes the Oracle Cloud Security Testing and Functional Testing policies, tests involving data scraping tools, and how you can submit a request to schedule tests of our services.

Oracle Cloud Security Penetration and Vulnerability Testing

The Oracle Cloud Security Testing policy describes when and how you may conduct certain types of security testing of Oracle Cloud Infrastructure services, including vulnerability and penetration tests, as well as tests involving data scraping tools. Any such testing of Oracle Cloud services may be conducted only by customers who have an Oracle Account with the necessary privileges to file service maintenance requests, and who are signed-in to the environment that will be the subject of such testing.

Oracle regularly performs penetration and vulnerability testing and security assessments against the Oracle Cloud infrastructure, platforms, and applications. These tests are intended to validate and improve the overall security of Oracle Cloud services.

However, Oracle does not assess or test any components (including, non-Oracle applications, non-Oracle databases or other non-Oracle software, code or data, as may be applicable) that you manage through or introduce into – including introduction through your development in or creation in - the Oracle Cloud services (the "Customer Components"). This policy does not address or provide any right to conduct testing of any third-party materials included in the Customer Components.

Except as otherwise permitted or restricted in your Oracle Cloud services agreements, your service administrator who has system level access to your Oracle Cloud services may run penetration and vulnerability tests for the Customer Components included in certain of your Oracle Cloud services in accordance with the following rules and restrictions.

Permitted Penetration and Vulnerability Testing

The following explains where penetration and vulnerability testing of Customer Components is permitted:

  • IaaS: Using your own monitoring and testing tools, you may conduct penetration and vulnerability tests of your acquired single-tenant Oracle Infrastructure as a Service (IaaS) offerings. You must notify Oracle prior to conducting any such penetration and vulnerability tests in accordance with the process set forth below. Pursuant to such penetration and vulnerability tests, you may assess the security of the Customer Components; however, you may not assess any other aspects or components of these Oracle Cloud services including the facilities, hardware, software, and networks owned or managed by Oracle or its agents and licensors.
  • PaaS: Using your own monitoring and testing tools, you may conduct penetration and vulnerability tests of your acquired single-tenant Oracle Platform as a Service (PaaS) offerings. You must notify Oracle prior to conducting any such penetration and vulnerability tests in accordance with the process set forth below. Pursuant to such penetration and vulnerability tests, you may assess the security of the Customer Components; however, you may not assess any other aspects or components of these Oracle Cloud services including the facilities, hardware, networks, applications, and software owned or managed by Oracle or its agents and licensors. To be clear, you may not assess any Oracle applications that are installed on top of the PaaS service.
  • SaaS: Penetration and vulnerability testing is not permitted for Oracle Software as a Service (SaaS) offerings.

Oracle Cloud Security Testing Rules of Engagement

The following rules of engagement apply to cloud penetration and vulnerability testing:

  • Your testing must not target any other subscription or any other Oracle Cloud customer resources, or any shared infrastructure components.

  • You must not conduct any tests that will exceed the bandwidth quota or any other subscribed resource for your subscription.

  • You are strictly prohibited from utilizing any tools or services in a manner that perform Denial-of-Service (DoS) attacks or simulations of such, or any "load testing" against any Oracle Cloud asset including yours.

  • Any port scanning must be performed in a non-aggressive mode.

  • You are responsible for independently validating that the tools or services employed during penetration and vulnerability testing do not perform DoS attacks, or simulations of such, prior to assessment of your instances. This responsibility includes ensuring any contracted third parties perform assessments in a manner that does not violate this policy.

  • Social Engineering of Oracle employees and physical penetration and vulnerability testing of Oracle facilities is prohibited.

  • You must not attempt to access another customer's environment or data, or to break out of any container (for example, virtual machine).

  • Your testing will continue to be subject to terms and conditions of the agreement(s) under which you purchased Oracle Cloud services, and nothing in this policy shall be deemed to grant you additional rights or privileges with respect to such Cloud Services.

  • If you believe you have discovered a potential security issue related to Oracle Cloud, you must report it to Oracle within 24 hours by conveying the relevant information to My Oracle Support. You must create a service request within 24 hours and must not disclose this information publicly or to any third party. Note that some of the vulnerabilities and issues you may discover may be resolved by you by applying the most recent patches in your instances.

  • In the event you inadvertently access another customer's data, you must immediately terminate all testing and report it to Oracle within one hour by conveying the relevant information to My Oracle Support.

  • You are responsible for any damages to Oracle Cloud or other Oracle Cloud customers that are caused by your testing activities by failing to abide by these rules of engagement.

Notification Process

The process for notifying Oracle of your election to conduct a penetration or vulnerability test as required by this policy can be found in Submitting a Cloud Security Testing Notification.

Oracle Cloud Functional Testing

Important

You must abide by the terms of both this policy and the Oracle Cloud Security Testing policy when performing functional testing.

This policy outlines how and when you may conduct functional testing of Oracle Cloud services. The purpose of functional testing is to validate features of Oracle Cloud services to ensure they meet particular functional requirements or specifications. This is often referred to as black-box testing, regression testing, or unit testing whereby functionality of the application is assessed without the need to scrutinize internal structures or source code.

The following rules apply to functional testing of Oracle Cloud services:

  • You must not conduct any tests in the production environment. Before deployment, you must test all changes in a test environment.
  • You can perform functional testing using manual or automated tools.
  • You can conduct functional tests to validate the main functions of the Oracle Cloud service to meet business requirements including usability, accessibility, and error handling.
  • You must not use functional testing procedures or tools to test other aspects of the Oracle Cloud service, such as performance, reliability, and scalability.
  • You can conduct unit tests, user-acceptance tests, regression tests, and black-box tests to test the functionality of the Oracle Cloud services.

Data Scraping Tools

Any use of data scraping tools or technologies with Oracle Cloud services to collect data available through any Oracle user interface or from web service calls requires the express written permission of Oracle. Oracle reserves the right to require that Oracle validates and tests your proposed data scraping tools before their use in production, and that Oracle revalidates and retests them annually.

Automated Tools

Oracle doesn't make any recommendation on which third-party automated testing tools you can use.