Oracle Cloud Infrastructure Documentation

Oracle Cloud Security Testing Policy

This section describes the Oracle Cloud Security Testing policy and how you can submit a request to schedule the tests of your Oracle Cloud services. The Oracle Cloud Security Testing Policy describes when and how you may conduct certain types of security testing of Oracle Cloud Services, including vulnerability and penetration tests, as well as tests involving data scraping tools. Notwithstanding anything to the contrary, any such testing of Oracle Cloud Services may be conducted only by customers who have an Oracle Account with the necessary privileges to file service maintenance requests, and who are signed-in to the environment that will be the subject of such testing.

Penetration and Vulnerability Testing

Oracle regularly performs penetration and vulnerability testing and security assessments against the Oracle cloud infrastructure, platforms, and applications. These tests are intended to validate and improve the overall security of Oracle Cloud Services.

However, Oracle does not assess or test any components (including, non-Oracle applications, non-Oracle databases or other non-Oracle software, code or data, as may be applicable) that you manage through or introduce into – including introduction through your development in or creation in - the Oracle Cloud Services (the “Customer Components”). This policy does not address or provide any right to conduct testing of any third party materials included in the Customer Components.

Except as otherwise permitted or restricted in your Oracle Cloud Services agreements, your service administrator who has system level access to your Oracle Cloud Services may run penetration and vulnerability tests for the Customer Components included in certain of your Oracle Cloud Services in accordance with the following rules and restrictions.

Permitted Cloud Penetration and Vulnerability Testing

The following explains where penetration and vulnerability testing of Customer Components is permitted:

  • IaaS: Using your own monitoring and testing tools, you may conduct penetration and vulnerability tests of your acquired single-tenant Oracle Infrastructure as a Service (IaaS) offerings. You must notify Oracle prior to conducting any such penetration and vulnerability tests in accordance with the process set forth below. Pursuant to such penetration and vulnerability tests, you may assess the security of the Customer Components; however, you may not assess any other aspects or components of these Oracle Cloud Services including the facilities, hardware, software, and networks owned or managed by Oracle or its agents and licensors.

  • PaaS: Using your own monitoring and testing tools, you may conduct penetration and vulnerability tests of your acquired single-tenant PaaS offerings. You must notify Oracle prior to conducting any such penetration and vulnerability tests in accordance with the process set forth below. Pursuant to such penetration and vulnerability tests, you may assess the security of the Customer Components; however, you may not assess any other aspects or components of these Oracle Cloud Services including the facilities, hardware, networks, applications, and software owned or managed by Oracle or its agents and licensors. To be clear, you may not assess any Oracle applications that are installed on top of the PaaS service.

  • SaaS: Penetration and vulnerability testing is not permitted for Oracle Software as a Service (SaaS) offerings.

Rules of Engagement

The following rules of engagement apply to cloud penetration and vulnerability testing:

  • Your testing must not target any other subscription or any other Oracle Cloud customer resources, or any shared infrastructure components.

  • You must not conduct any tests that will exceed the bandwidth quota or any other subscribed resource for your subscription.

  • You are strictly prohibited from utilizing any tools or services in a manner that perform Denial-of-Service (DoS) attacks or simulations of such, or any “load testing” against any Oracle Cloud asset including yours.

  • Any port scanning must be performed in a non-aggressive mode.

  • You are responsible for independently validating that the tools or services employed during penetration and vulnerability testing do not perform DoS attacks, or simulations of such, prior to assessment of your instances. This responsibility includes ensuring any contracted third parties perform assessments in a manner that does not violate this policy.

  • Social Engineering of Oracle employees and physical penetration and vulnerability testing of Oracle facilities is prohibited.

  • You must not attempt to access another customer’s environment or data, or to break out of any container (for example, virtual machine).

  • Your testing will continue to be subject to terms and conditions of the agreement(s) under which you purchased Oracle Cloud Services, and nothing in this policy shall be deemed to grant you additional rights or privileges with respect to such Cloud Services.

  • If you believe you have discovered a potential security issue related to Oracle Cloud, you must report it to Oracle within 24 hours by conveying the relevant information to My Oracle Support. You must create a service request within 24 hours and must not disclose this information publicly or to any third party. Note that some of the vulnerabilities and issues you may discover may be resolved by you by applying the most recent patches in your instances.

  • In the event you inadvertently access another customer’s data, you must immediately terminate all testing and report it to Oracle within one hour by conveying the relevant information to My Oracle Support.

  • You are responsible for any damages to Oracle Cloud or other Oracle Cloud customers that are caused by your testing activities by failing to abide by these rules of engagement.

Notification Process

The process for notifying Oracle of Your election to conduct a penetration or vulnerability test as required by this policy can be found in Submitting a Cloud Security Testing Notification.

Data Scraping Tools

Any use of data scraping tools or technologies with Oracle Cloud Services to collect data available through any Oracle user interface or via web service calls requires the express written permission of Oracle. Oracle reserves the right to require that your proposed data scraping tools are validated and tested by Oracle prior to use in production, and are subsequently re-validated and tested annually.