Frequently Asked Questions About Cloud Security Testing

Do I need Oracle's permission for all penetration and vulnerability tests?

No. Per the Oracle Penetration and Vulnerability Testing Policy, you do not need Oracle's permission to conduct penetration and vulnerability tests of the customer components included in certain Oracle Cloud services. However, you will need to notify Oracle prior to commencing such penetration and vulnerability testing. You may not conduct any penetration and vulnerability testing for Oracle Software as a Service (SaaS) offerings.

How can I notify Oracle for penetration and vulnerability tests?

To notify Oracle, you must send an email with information about the targets you wish to test, the planned start and end dates of your test, as well as the testing tools you want to use. See Submitting a Cloud Security Testing Notification.

Which instances can I test?

The Oracle Penetration and Vulnerability Testing Policy only permits testing of instances, services, and applications that are customer components. All other aspects and components of the Oracle Cloud Services (including Oracle-managed facilities, hardware components, networks, software, and database instances) must not be tested. You may not conduct any penetration and vulnerability testing of Oracle Software as a Service (SaaS) offerings. In addition, you may not attempt to socially engineer Oracle employees or perform physical penetration and vulnerability testing of Oracle facilities.

What other actions on my part are required after I receive an authorization to perform my tests?

No other actions are required before performing your tests. You may conduct your testing for the duration you requested.

What do I do when I believe that I have discovered a potential security issue related to Oracle Cloud?

If you believe you have discovered a potential security issue related to Oracle Cloud, you must report it to Oracle within 24 hours, by conveying the relevant information to My Oracle Support. You must create a service request (SR) within 24 hours and you must not disclose this information publicly or to any third party. Note that some of the vulnerabilities and issues you discovered may be resolved by you, by applying the most recent patches in your instances.

What limitations do I need to be aware of regarding my tests?

All penetration and vulnerability testing against Oracle Software as a Service (SaaS) instances is prohibited. In addition, the Oracle Penetration and Vulnerability Testing Policy sets forth certain rules applicable to the performance of penetration and vulnerability testing on Oracle Cloud Services. See the policy for limitations.

Can I conduct any tests that may exceed the bandwidth quota for my subscription?

No. You are not allowed to conduct any tests that will exceed the bandwidth quota or any other subscribed resource for your subscription.

Can I use my hosted instances to conduct assessments against other services not hosted by Oracle?

No, all testing must be directed at single-tenant Oracle Infrastructure as a Service (Oracle IaaS) or Oracle Platform as a Service (Oracle PaaS) instances hosted by Oracle. These are not to be used as a platform to test other internet-based services.