Frequently Asked Questions About Cloud Security Testing
This section provides answers to frequently asked questions (FAQ) related to cloud security testing.
To fully understand how you can conduct cloud penetration and vulnerability testing of the Customer Components, you must first review the Penetration and Vulnerability Testing section.
No. Per the Oracle Penetration and Vulnerability Testing Policy, you do not need Oracle’s permission to conduct penetration and vulnerability tests of the customer components included in certain Oracle Cloud services. However, you will need to notify Oracle prior to commencing such penetration and vulnerability testing. You may not conduct any penetration and vulnerability testing for Oracle Software as a Service (SaaS) offerings.
To notify Oracle, you must log into My Services using your administrator credentials associated with the instances you wish to test. You will need to complete and submit a form with information about the instances you wish to test, the planned start and end dates of your test, as well as the testing tools you want to use. This notification process is explained in more detail in the Penetration and Vulnerability Testing section.
The Oracle Penetration and Vulnerability Testing Policy only permits testing of instances, services, and applications that are customer components. All other aspects and components of the Oracle Cloud Services (including Oracle-managed facilities, hardware components, networks, software, and database instances) must not be tested. You may not conduct any penetration and vulnerability testing of Oracle Software as a Service (SaaS) offerings. In addition, you may not attempt to socially engineer Oracle employees or perform physical penetration and vulnerability testing of Oracle facilities.
No other actions are required before performing your tests. You may conduct your testing for the duration you requested.
If you believe you have discovered a potential security issue related to Oracle Cloud, you must report it to Oracle within 24 hours, by conveying the relevant information to My Oracle Support. You must create a service request (SR) within 24 hours and you must not disclose this information publicly or to any third party. Note that some of the vulnerabilities and issues you discovered may be resolved by you, by applying the most recent patches in your instances.
All penetration and vulnerability testing against Oracle Software as a Service (SaaS) instances is prohibited. In addition, the Oracle Penetration and Vulnerability Testing Policy sets forth certain rules applicable to the performance of penetration and vulnerability testing on Oracle Cloud Services. See the policy for limitations.
No. You are not allowed to conduct any tests that will exceed the bandwidth quota or any other subscribed resource for your subscription.
No, all testing must be directed at single-tenant Oracle Infrastructure as a Service (Oracle IaaS) or Oracle Platform as a Service (Oracle PaaS) instances hosted by Oracle. These are not to be used as a platform to test other internet-based services.