Run Penetration Test

Hi there,

In order to ensure there are no security vulnerabilities on our site which is hosted on Netlify we would like to perform our own penetration test. Can you let me know if we can proceed with this and we have your approval to do so? Let me know if you need any additional information from me. Thanks in advance for your help!

hi annolmalik, thanks for checking with us about this. could you share an API ID, netlify site name or team id with us? that’s a good place to start.

Hi Perry, here is the netlify site name:

hiya @anmolmalik ,

Our sales team will reach out to you about appropriate plan levels for testing. For you and others who may come after, I wanted to clarify some things around such tests against Netlify:

  • Our terms of service state that we require you to get previous written authorization from us to run such scans. Yes, we are aware that we cannot stop you from doing so no matter whether you have authorization or not. If your scan causes problems for our service or staff, we will take it offline - so hopefully we can work together on such scans.
  • The main reason we require written authorization is how you run them and what you do with the results. The main concerns (regardless of written authorization) are these:
  1. It is possible for a poorly configured test to cause problems on our CDN (creating 100000 connections to the same CDN node in one second, for instance, would crash it, and would NOT represent real-world testing or results anyway).
  2. Taking the time to talk through methodologies and schedule a time window with you is generally something we only do for higher-level paid accounts. If you can afford to do penetration tests, you can afford to pay to host your website. Part of the process of getting written authorization is understanding the scope, timing, and source of your testing so our operations team can be aware of your activities as they occur, rather than considering them an active attack and potentially blocking traffic to our service or your site in defense.
  3. We need you to commit to responsibly reporting any vulnerabilities you discover (via our bug bounty program at HackerOne).

I believe my colleague Reesa will be in touch if she hasn’t already, but hopefully those terms are clearer now :slight_smile:

1 Like

Thanks for sharing this info. Looking forward to hearing back from your sales team.