Security Testing in the Oracle Cloud
This page explains the limitations for customer-performed Security Testing conducted by you, and any third-parties that you may engage to perform such testing on your behalf (each a “Third-Party Tester”), against Oracle Cloud Services whether hosted in an Oracle-controlled data center or in a customer’s physical location (for example, Oracle cloud@customer). For Oracle Cloud Services with Service Specifications, this Testing Policy is considered part of such Specifications. You should review the “Helping you determine the applicable Security Tests limitations” section of the Overview page to determine if the limitations listed below apply to your intended Security Tests.
Principles and limitations
To perform Security Testing, customer testers must have an Oracle Account with the necessary privileges to create Support Requests and be able to log into the applicable Oracle Cloud Services to be tested. Because Security Tests in a cloud environment may have unintended consequences and trigger alarms for the cloud security teams, customer-performed security testing activities are subject to several limitations.
Oracle makes available penetration testing summaries for a number of its Cloud Services
These reports are available to customers of these services under a non-disclosure agreement. You should contact your Oracle account representative to obtain these reports.
Security Tests requiring prior notification
Oracle Cloud environment to be tested |
Security Testing activity |
Procedure for notification |
|---|---|---|
| Oracle Cloud Infrastructure (OCI) | Prior notification is required for OCI customers seeking to test the security of the resources they have deployed or configured within their OCI tenancy but NOT test the underlying OCI services themselves. OCI services include the OCI console, OCI APIs and OCI Cloud Services (such as Compute, Storage and Autonomous Database). | Forward the completed Oracle Cloud Security Testing Request Form (PDF) to security_test_notification_grp@oracle.com. In the description of your testing activities (Section E of the form), make sure to indicate that your testing activities will be limited to validating the security of your resources configured within your tenancy. Security testing activities can start five (5) business days after the completed Testing Request Form is submitted. |
Security Tests requiring prior approval
Oracle Cloud Service to be tested |
Security Testing activity |
Procedure for notification |
|---|---|---|
| Oracle Cloud Infrastructure (OCI) | Prior approval is required for OCI customers seeking to test the security of OCI services including the OCI console, OCI APIs and OCI cloud services (such as Compute, Storage and Autonomous Database). | Forward the completed Oracle Cloud Security Testing Request Form (PDF) to security_test_notification_grp@oracle.com. Upon approval of the Security Testing activities by Oracle, you will be required to execute a Cloud Security Testing Addendum which will indicate the starting date of testing. |
| Oracle Cloud Applications (“Oracle SaaS”) | Prior approval is required. Approval will be based on regulatory requirements to meet a specific applicable regulation. |
Forward the completed Oracle Cloud Security Testing Request Form (PDF) through My Oracle Support as a technical Service Request Upon approval of the Security Testing by Oracle, you will be required to execute a Cloud Security Testing Addendum which will indicate the starting date of testing. |
| Oracle NetSuite | Prior approval is required. Approval will be based on regulatory requirements to meet a specific applicable regulation. |
Contact your account representative to complete an Oracle Cloud Security Testing Request Form (PDF). Upon approval of the Security Testing by Oracle, you will be required to execute a Cloud Security Testing Addendum which will indicate the starting date of testing. |
| Oracle Cloud for Industries | Prior approval is required. Approval will be based on regulatory requirements to meet a specific applicable regulation. |
Submit your Oracle Cloud Security Testing Request Form (PDF) through the support mechanism associated with your Cloud Service. Upon approval of the Security Testing by Oracle, you will be required to execute a Cloud Security Testing Addendum which will indicate the starting date of testing. |
| Oracle Customer Success Services (CSS) | Prior approval is required | Contact your CSS Account Representative to complete an Oracle Cloud Security Testing Request Form (PDF). Upon approval of the Security Testing by Oracle, you will be required to execute a Cloud Security Testing Addendum which will indicate the starting date of testing. |
Oracle Cloud Security Testing Request Form
The Oracle Cloud Security Testing Request Form (“Testing Request Form”) must be used to provide Oracle with prior notice of, or to seek approval to conduct, as applicable, Security Tests of your Cloud Services under this Testing Policy. Requestors should complete all sections of the Testing Request Form. By completing the Testing Request Form you acknowledge and agree that such tests will be conducted by you, or your designated Third-Party Tester, if applicable, in accordance with the terms and conditions in this Testing Policy. Incomplete or ambiguous information provided with your Testing Request Form may result in delays or the rejection of the Security Tests.
By notifying Oracle of testing or requesting approval for testing, you represent that you will be bound by all the testing limitations applicable to the Oracle Cloud Service you are testing as set forth in this Testing Policy and the relevant Oracle Cloud Security Testing Addendum (where applicable).
General conditions for Cloud Security Testing
Legitimate business purpose
Oracle will allow testing of Oracle Cloud Services acquired under your Cloud Services Agreement solely to determine whether they meet your requirements.
Your Security Tests must be limited to the Oracle Cloud Services for which you have an active subscription and have obtained approval, or provided notification, as applicable pursuant to the “Security Tests requiring prior notification” and “Security Tests requiring prior approval” sections of this page. Security Tests must be performed in compliance with the information you have submitted while notifying Oracle about your intended security testing activity (for example, you need to abide by the “description of testing activities” you have disclosed to Oracle in your submitted Testing Request Form and by the terms included in your Oracle Cloud Security Testing Addendum, if applicable).
Testing for benchmarking or competitive intelligence is specifically prohibited.
Security Tests conducted in accordance with this Testing Policy and your Oracle Cloud Agreement
All Security Tests of Oracle Cloud Services must be conducted in accordance with this Testing Policy and your applicable Oracle Cloud Agreement. This includes keeping any use of Cloud Services as part of the Security Tests within the quantity and metric which you have acquired for the applicable Cloud Services. If at any time you exceed the quantity of Cloud Services ordered, then you must promptly purchase and pay fees for the excess usage quantity.
Requirement for an Oracle Cloud Security Testing Addendum
Prior to conducting any Security Tests that require Oracle approval, Oracle and the customer must sign an Oracle Cloud Security Addendum (“Cloud Security Testing Addendum”) to the Oracle Cloud order under which the customer acquired the applicable Cloud Services. The Oracle Cloud Security Testing Addendum incorporates this Testing Policy and defines specific parameters that will apply to the Security Tests of the applicable Oracle Cloud Services, including the payment to Oracle of any applicable fees. A separate Cloud Security Testing Addendum is required for each set of Security Tests that a customer seeks to conduct against its Oracle Cloud Services for which such an Addendum is required under this Testing Policy.
Responsibility and Suspension of Security Tests
You are responsible for all damages to Oracle or other Oracle customers which are caused by you or your personnel’s (including your Third-Party Tester’s) testing activities. If you are a reseller or distributor of the Cloud Services, you are also responsible for your customers’ compliance with the terms and conditions in this Testing Policy.
Upon Oracle’s notice, you agree to immediately cease, and cause your personnel to cease (including any Third-Party Tester) all testing activities which Oracle believes, in its sole discretion, pose a material harm to the functionality, security, integrity, or availability of Oracle’s or your, or any other customers’, services, systems, operations or any content, data, or applications in such services (the “Harmful Acts”). Oracle reserves the right to suspend, block access to, or terminate the applicable Oracle Cloud Services and testing activities, to prevent or address Harmful Acts arising from any Security Tests.
Prohibition of social engineering
You cannot manipulate, influence, deceive, impersonate, or engage in other forms of “social engineering” targeting Oracle staff or subcontractor at any time.
Testing duration and frequency
Unless you have obtained written approval or other contractual rights from Oracle, Security Tests of Oracle Cloud Services cannot be performed for longer than ten (10) consecutive calendar days and may not extend beyond the end of your subscriptions period (i.e., Services Period) under your applicable Oracle Cloud Agreement. In addition, you cannot perform Security Tests more than once per calendar year per Oracle Cloud Service you acquire under an Oracle Cloud Agreement.
General “do no harm” principle
You must immediately stop all testing activities and notify Oracle if you suspect or become aware that your Security Tests have violated the terms of this Testing Policy, or adversely affected the Cloud Services (including, the control plane of such services), or breached any tenancy separation between you and other customers. Additionally, you are specifically prohibited from performing denial of service attacks on the Cloud Services as they may adversely impact other Oracle Cloud customers.
Any attempt to exploit discovered vulnerabilities, beyond what is necessary to determine whether the vulnerability allows unauthorized access or other malicious acts, is expressly prohibited. Nothing in this Testing Policy relieves your obligation to comply with all laws and regulations to the extent applicable to your use and receipt of the Cloud Services (including, the performance of the Security Tests).
See How to Report Security Vulnerabilities to Oracle for reporting these issues.
Obligation to report and preserve findings
All findings of your Security Tests must be reported to Oracle at the completion of testing. Critical findings must be reported to Oracle immediately (see the “General do no harm” principle of this Testing Policy).
Confidentiality of Security Tests
All information related to the Security Tests (including, without limitation, the findings of any Security Tests, and all plans, documents, and information related to the Security Tests) are deemed Confidential Information under the terms of the Oracle Cloud Agreement under which your applicable Oracle Cloud Services were acquired (the “Testing Confidential Information”). You may use Testing Confidential Information solely for the purposes of determining whether the Cloud Services listed in your Oracle Cloud Agreement meet your security requirements, and you may not disclose such information to any third party (other than your Third-Party Tester engaged in accordance with this Testing Policy, if applicable). In addition, you may disclose the Testing Confidential Information only to those employees, agents (including, any Third-Party Tester, if applicable) and subcontractors who have a “need to know” such information in connection with evaluating the security of your Oracle Cloud Services; provided that, their use remains limited to the foregoing purpose and subject to confidential treatment of such information pursuant to terms no less protective than those included in this Testing Policy and your applicable Oracle Cloud Agreement; you are responsible for ensuring that your employees, agents (including, any Third-Party Tester, if applicable) and subcontractors comply with these terms and conditions. Testing Confidential Information may be used by Oracle for research and development purposes to update, improve, and remediate findings related to, Oracle On-Premises Products and Cloud Services.
Customers and Third-Party Testers should refer to “Third-Party Testers” page to learn more, including the conditions for obtaining credit for the discovery of original vulnerabilities.
Mandatory use of security testers identified by Oracle
You must disclose to Oracle who will perform the Security Tests against your Oracle Cloud Services. Unless otherwise agreed by Oracle in writing, if the testing of your Cloud Services is performed by a third-party (for example, someone who is not employed by your organization), you must use a third-party on the “List of Security Testers for Oracle Cloud (PDF)”. The List of Security Testers for Oracle Cloud includes companies that are known to provide security testing services for Oracle Cloud Services and does not constitute a recommendation on the quality or coverage of the services they provide. Except as set forth in this section, you may not use third parties to perform Security Tests of your Cloud Services.
See the list of security organizations that Oracle has identified for performing security testing.
Security Testing limited to approved scope of Security Tests
Whether you are required to obtain prior approval for Security Testing or notify Oracle of your intent to test (see “Security Tests requiring prior notification” and “Security Tests requiring prior approval” sections of this page“), you must identify the Cloud Services you will be testing and provide information about the nature of the testing activities you plan to perform by (1) submitting a completed Testing Request Form to Oracle and as applicable (2) entering into a Cloud Security Testing Addendum with Oracle. Refer to the “Testing Request Form” section of this Testing Policy for information you must provide to Oracle prior to performing your Security Tests.
You may only test third-party services and application programming interfaces (APIs) to the extent permitted by your separate agreement with the applicable third-party. The intended scope of testing must be clearly stated in your Oracle Cloud Security Testing Request Form.
For Cloud Services which require Oracle’s prior approval under this Testing Policy, you must also provide additional information on the parameters of the intended Security Tests in the applicable Cloud Security Testing Addendum between you and Oracle. Refer to the “Requirement for Customer to enter into an Oracle Cloud Security Testing Addendum” section of this Testing Policy for information on the Cloud Security Testing Addendum.
Respect of tenancy separation
You should not seek to intentionally break the tenancy separation between you and other customers of the Oracle Cloud. In addition, your testing activities should not have an adverse impact on other customers of the Cloud Services, including by attempting to access their Cloud Services or their data. See the “General “do no harm” principle” in this Testing Policy.
Testing Oracle Cloud Services control plane is prohibited
You cannot perform Security Testing against Oracle-managed and Oracle-deployed resources used in the delivery of your Oracle Cloud Services, including control planes elements, common cloud services, and container layers.
Tools and methodology
Port and vulnerability scanning should be performed in non-aggressive mode only.
You are strictly prohibited from attempting Denial of Service (DoS) attacks and from utilizing any tools or services in a manner that performs Denial of Service (DoS) attacks or simulations of such, or any “load testing” against any Oracle Cloud Service. Additionally, you must not conduct any tests that will exceed the bandwidth quota or any other subscribed resource for your Cloud Services.
Reverse engineering and source code analysis is not allowed.
The use of screen scraping technology (outside the purpose of capturing a single screen to report a bug or documenting the unexpected behavior of a cloud application) is also prohibited.
Service-specific conditions for testing
Oracle Cloud Infrastructure
Security Tests must comply with the terms of this Testing Policy.
Customers seeking to test the security of the resources they have deployed or configured within their OCI tenancy but NOT test the underlying OCI services themselves need not execute a Security Testing Addendum. OCI services include the OCI console, OCI APIs and OCI Cloud Services (such as Compute, Storage and Autonomous Database).They need only notify Oracle 5 business days prior to the start of intended Security Testing using the Oracle Cloud Security Testing Request Form, and must conduct such testing in accordance with the terms of this Testing Policy.
Oracle Cloud for Industries
Security Tests must comply with the terms of this Testing Policy. Only the general limitations apply for Oracle Cloud for Industries.
Oracle Cloud Applications
Security Tests must comply with the terms of this Testing Policy. Only the general limitations apply for Oracle Cloud Applications.
Oracle NetSuite
Security Tests must comply with the terms of this Testing Policy. Additionally, NetSuite customers wishing to perform security testing must leverage a NetSuite third-party tester in a dedicated test environment.
Customer Success Services (CSS)
Security Tests must comply with the terms of this Testing Policy.
CSS customers, including but not limited to ACS and MCS customers, must obtain a formal approval to conduct a Security Tests of these services no less than 30 business days prior to the requested testing start date. A customer can obtain such formal approval from Oracle through its designated Oracle point of contact and by completing a Testing Request Form.
Additionally, the Security Tests must be conducted within the access privileges granted to the customer as per their contract with Oracle. Oracle does not grant any additional privileges for the purpose of the Security Tests. This includes, but is not limited to, user accounts, user rights, firewall ports, network protocols and links. Finally, all Security Tests must be conducted from the customer’s network over a VPN/dedicated link, or over the Internet. Customer Security Tests may not be conducted from within an Oracle-owned network.
Oracle MultiCloud Solutions
Security Testing of Oracle Cloud Services which are deployed by Oracle in the data center of a MultiCloud Provider (e.g., Microsoft Azure, AWS or Google Cloud) must comply with the terms of this Testing Policy.
However, with respect to Security Testing of any services (including as part of the Cloud Services) provided by a MultiCloud Provider (including physical security, environmental, and/or network controls provided by the MultiCloud Provider), the customer may conduct such tests only to the extent permitted by their separate agreement with the applicable MultiCloud Provider. In addition, Oracle is not obligated to conduct Security Testing on behalf of a customer of any services (including as part of the Cloud Services) performed by a MultiCloud Provider.