Oracle Cloud Security Testing Policy

This policy outlines when and how you may conduct certain types of security testing of Oracle Cloud Services, including vulnerability and penetration tests, as well as tests involving data scraping tools. Notwithstanding anything to the contrary, any such testing of Oracle Cloud Services may be conducted only by customers who have an Oracle Account with the necessary privileges to file service maintenance requests, and who are signed-in to the environment that will be the subject of such testing.

Penetration and Vulnerability Testing

Oracle regularly performs penetration and vulnerability testing and security assessments against the Oracle cloud infrastructure, platforms, and applications.  These tests are intended to validate and improve the overall security of Oracle Cloud Services.

However, Oracle does not assess or test any components (including, non-Oracle applications, non-Oracle databases or other non-Oracle software, code or data, as may be applicable) that you manage through or introduce into – including introduction through your development in or creation in - the Oracle Cloud Services (the “Customer Components”). This policy does not address or provide any right to conduct testing of any third party materials included in the Customer Components.

Except as otherwise permitted or restricted in your Oracle Cloud Services agreements, your service administrator who has system level access to your Oracle Cloud Services may run penetration and vulnerability tests for the Customer Components included in certain of your Oracle Cloud Services in accordance with the following rules and restrictions.

Permitted Cloud Penetration and Vulnerability Testing

The following explains where penetration and vulnerability testing of Customer Components is permitted:

  • IaaS: Using your own monitoring and testing tools, you may conduct penetration and vulnerability tests of your acquired single-tenant Oracle Infrastructure as a Service (IaaS) offerings. You must notify Oracle prior to conducting any such penetration and vulnerability tests in accordance with the process set forth below. Pursuant to such penetration and vulnerability tests, you may assess the security of the Customer Components; however, you may not assess any other aspects or components of these Oracle Cloud Services including the facilities, hardware, software, and networks owned or managed by Oracle or its agents and licensors.

  • PaaS: Using your own monitoring and testing tools, you may conduct penetration and vulnerability tests of your acquired single-tenant PaaS offerings. You must notify Oracle prior to conducting any such penetration and vulnerability tests in accordance with the process set forth below. Pursuant to such penetration and vulnerability tests, you may assess the security of the Customer Components; however, you may not assess any other aspects or components of these Oracle Cloud Services including the facilities, hardware, networks, applications, and software owned or managed by Oracle or its agents and licensors. To be clear, you may not assess any Oracle applications that are installed on top of the PaaS service.

  • SaaS: Penetration and vulnerability testing is not permitted for Oracle Software as a Service (SaaS) offerings.

Rules Of Engagement

The following rules of engagement apply to cloud penetration and vulnerability testing:

  • Your testing must not target any other subscription or any other Oracle Cloud customer resources, or any shared infrastructure components.

  • You must not conduct any tests that will exceed the bandwidth quota or any other subscribed resource for your subscription.

  • You are strictly prohibited from utilizing any tools or services in a manner that perform Denial-of-Service (DoS) attacks or simulations of such, or any “load testing” against any Oracle Cloud asset including yours.

  • Any port scanning must be performed in a non-aggressive mode.

  • You are responsible for independently validating that the tools or services employed during penetration and vulnerability testing do not perform DoS attacks, or simulations of such, prior to assessment of your instances. This responsibility includes ensuring any contracted third parties perform assessments in a manner that does not violate this policy.

  • Social Engineering of Oracle employees and physical penetration and vulnerability testing of Oracle facilities is prohibited.

  • You must not attempt to access another customer’s environment or data, or to break out of any container (for example, virtual machine).

  • Your testing will continue to be subject to terms and conditions of the agreement(s) under which you purchased Oracle Cloud Services, and nothing in this policy shall be deemed to grant you additional rights or privileges with respect to such Cloud Services.

  • If you believe you have discovered a potential security issue related to Oracle Cloud, you must report it to Oracle within 24 hours by conveying the relevant information to My Oracle Support. You must create a service request within 24 hours and must not disclose this information publicly or to any third party. Note that some of the vulnerabilities and issues you may discover may be resolved by you by applying the most recent patches in your instances.

  • In the event you inadvertently access another customer’s data, you must immediately terminate all testing and report it to Oracle within one hour by conveying the relevant information to My Oracle Support.

  • You are responsible for any damages to Oracle Cloud or other Oracle Cloud customers that are caused by your testing activities by failing to abide by these rules of engagement.

Notification Process

The process for notifying Oracle of Your election to conduct a penetration or vulnerability test as required by this policy can be found in Submitting a Cloud Security Testing Notification.

Submitting a Cloud Security Testing Notification

As a service administrator, you can run tests for some Oracle Cloud services.
Before running the tests, you must first review the Penetration and Vulnerability Testing. Follow the steps below to notify Oracle of a penetration and vulnerability test.

Note:

You must have an Oracle Account with the necessary privileges to file service maintenance requests, and you must be signed in to the environment that will be the subject of the penetration and vulnerability testing.

To notify Oracle of a penetration test:
  1. Sign in to Applications Console or Infrastructure Classic Console.
    Sign in to the Applications Console if you want to work with Oracle Cloud Applications. Sign in to Infrastructure Classic Console if you want to access Oracle Cloud infrastructure and platform services. If you see Infrastructure Classic at the top of the page when you sign in to Oracle Cloud, then you are using Infrastructure Classic Console and your subscription does not support access to the Infrastructure Console.
  2. From the service tile in the dashboard, click the Action icon Action menu, and then select Maintenance and Service Requests.
  3. On the Service Request Details page, select Penetration & Vulnerability Testing from the Request Type list.
  4. Review the information and accept the terms and conditions, and then click Next.

    The available time slots are identified with the text, “Penetration and Vulnerability Testing”.

    You can switch your view to either daily, weekly, monthly, or a list by using the respective buttons on top of the calendar. The view you select is stored as your preference and you’ll be shown the same when you log in the next time.

  5. Select an available slot by clicking Penetration & Vulnerability Testing on a specific date.
    1. Provide technical contact details. If using a third party for testing, then provide the name and email address of the third party.
    2. Specify the testing details, such as duration of testing, purpose, IP addresses, services, and other information. Required fields are marked with an asterisk (*).
    3. Click Submit Request.
A service maintenance request is created and is automatically approved. In some cases, we may require your approval to confirm the time slots of your maintenance. Such requests are indicated by the phrase To Review. The status of each filed service maintenance request is color-coded and displayed in the calendar. To view, edit, or cancel your service maintenance request, see Viewing and Editing Service Maintenance Requests.

Frequently Asked Questions About Cloud Security Testing

This sections provides answers to frequently asked questions (FAQ) related to cloud security testing.

Do I need Oracle’s permission for all penetration and vulnerability tests?

No. Per the Oracle Penetration and Vulnerability Testing Policy, you do not need Oracle’s permission to conduct penetration and vulnerability tests of the customer components included in certain Oracle Cloud services. However, you will need to notify Oracle prior to commencing such penetration and vulnerability testing. You may not conduct any penetration and vulnerability testing for Oracle Software as a Service (SaaS) offerings.  

How can I notify Oracle for penetration and vulnerability tests?

To notify Oracle, you must log into Infrastructure Classic Console or Applications Console using your administrator credentials associated with the instances you wish to test. You will need to complete and submit a form with information about the instances you wish to test, the planned start and end dates of your test, as well as the testing tools you want to use. This notification process is explained in more detail in the Penetration and Vulnerability Testing.

Which instances can I test?

The Oracle Penetration and Vulnerability Testing Policy only permits testing of instances, services, and applications that are customer components.  All other aspects and components of the Oracle Cloud Services (including Oracle-managed facilities, hardware components, networks, software, and database instances) must not be tested. You may not conduct any penetration and vulnerability testing of Oracle Software as a Service (SaaS) offerings. In addition, you may not attempt to socially engineer Oracle employees or perform physical penetration and vulnerability testing of Oracle facilities.

What other actions on my part are required after I receive an authorization to perform my tests?

No other actions are required before performing your tests. You may conduct your testing for the duration you requested.

What do I do when I believe that I have discovered a potential security issue related to Oracle Cloud?

If you believe you have discovered a potential security issue related to Oracle Cloud, you must report it to Oracle within 24 hours, by conveying the relevant information to My Oracle Support. You must create a service request (SR) within 24 hours and you must not disclose this information publicly or to any third party. Note that some of the vulnerabilities and issues you discovered may be resolved by you, by applying the most recent patches in your instances.

What limitations do I need to be aware of regarding my tests?

All penetration and vulnerability testing against Oracle Software as a Service (SaaS) instances is prohibited. In addition, the Oracle Penetration and Vulnerability Testing Policy sets forth certain rules applicable to the performance of penetration and vulnerability testing on Oracle Cloud Services. See the policy for limitations.

Can I conduct any tests that may exceed the bandwidth quota for my subscription?

No. You are not allowed to conduct any tests that will exceed the bandwidth quota or any other subscribed resource for your subscription.

Can I use my hosted instances to conduct assessments against other services not hosted by Oracle?

No, all testing must be directed at single-tenant Oracle Infrastructure as a Service (Oracle IaaS) or Oracle Platform as a Service (Oracle PaaS) instances hosted by Oracle. These are not to be used as a platform to test other internet-based services.