email smartphone

Penetration Test Terms

Terms and conditions for conducting security tests on our infrastructure and platform-as-a-service solutions

Overview

We regularly conduct our own and commissioned tests to verify the security of our online services. This is also an important part of application development and deployment for our customers. To enable this, we have developed these terms together with our customers, allowing you to conduct your own tests.

Request and Approval

Since a penetration test may be indistinguishable from an actual attack, these tests must be requested with a detailed description of the test scope and with a lead time of at least 7 days, and must be approved by IDNT. The process is as follows:

  • Request approval for a penetration test with your preferred date and an exact description of the test scope. The request must be submitted via the Penetration Test Approval Form.
  • IDNT will respond to the request within three (3) business days. If additional information is required, IDNT will contact you via the email address provided in the Penetration Test Approval Form.
  • After receiving approval from IDNT, you may conduct the tests listed in the approval during the agreed period. If you need more time or wish to conduct another test at a different time, a new approval is required.

Important: Please notify us immediately if you believe you have found a security issue in the online services offered by IDNT.

Terms for Conducting a Penetration Test

Conducting a penetration test must comply with the following terms:

  • You must be the owner of the services to be tested as part of a penetration test, or you must have the owner's consent.
  • No other customer or service offered by IDNT may be part of or targeted by the test.
  • You do not conduct any prohibited tests (see below).
  • You do not conduct any test that would exceed the permitted bandwidth for your online service.
  • You only conduct the tests approved by IDNT at the times agreed with IDNT, and observe any additional conditions set by IDNT as part of the approval for individual tests.
  • If you suspect a security issue with IDNT services, you will notify IDNT within 24 hours as described under "Report Security Issue" and you will neither publish nor disclose this information to any third party for a period of at least 90 days.
  • You are responsible for all damages resulting from non-compliance with these terms.

Standard Tests

The following tests are generally approved on an expedited basis:

  • Port scans on your IP endpoint addresses
  • Fuzz testing of your applications. Fuzz testing refers to the manual or automated input of incorrect, invalid, or unexpected information into your application.
  • All tests designed to uncover the OWASP Top 10 web security vulnerabilities.

Prohibited Tests

All forms of Denial of Service tests or other tests that demonstrate or simulate the presence of a Denial of Service are prohibited.

Privacy

All information you share with us as part of a penetration test request is confidential. IDNT will use this information solely to assist you in conducting the tests. For more information on privacy, please refer to our Privacy Policy.