Hi.
Our client recently conducted a penetration test on the web application hosted on Netlify and one of the vulnerabilities they mentioned was that there are some sensitive open ports. They would want us to close the pors but I don’t think Netlify has a provision for this. How do we proceed in such a case?
Conducting any kind of tests without an explicit written permission from our end is against our Terms of Use and can lead to account termination.
With that being said, we need a proof of exploit. This has been reported several times in the past and it’s always some port that Netlify needs for its operations. None of the reports that I have seen so far have had any unnecessary open port, so I’d suggest to take your test results with a grain of salt. You cannot disable any ports from your end, but if you wish, you can let us know what you’ve found and we can let you know why they’re open or if they can be closed from our end.
I was not aware that conducting tests requires an explicit written permission. Thank you for bringing this to my attention. We will make sure we get the required permission moving forward.
The ports mentioned were 21, 80, 554, 1723.
You will need to contact our sales department for further assistance with any pentesting or security concerning your website. If you have proof of a Netlify vulnerability, contact security@netlify.com, you should receive an auto-response which describes how to join our bug bounty program and report vulnerabilities via HackerOne: HackerOne