- Penetration Test Conditions
Penetration Test Conditions
We regularly carry out our own and commissioned tests to verify the security of our online services. This is also an important part of application development and deployment for our customers. In order to make this possible, we have developed these conditions together with our customers, which enable you to carry out your own tests.
Request and release
Since a penetration test may be indistinguishable from an actual attack, these tests must be requested with a detailed description of the test scope and a lead time of at least 7 days and released by IDNT. The procedure is as follows:
- Request for the release of a penetration test with desired date and an exact description of the test scope. The enquiry must be made via the Penetration Test Approval Form.
- IDNT will respond to the request within three (3) business days. In case further information is required, IDNT will contact you via the email address provided in the Penetration Test Approval Form.
- After IDNT has received the release, you can carry out the tests listed in the release within the agreed time period. If you need more time or want to re-test at a different time, you will need to re-request.
Please let us know immediately if you think you have found a security problem in the online services offered by IDNT.
Regulations for conducting a penetration test
A Penentration Test must be conducted in accordance with the following rules:
- You must be the owner of the services to be tested in a penetration test or you must have the permission of the owner.
- No other customer or service offered by IDNT may be part of the test or be the target of the test.
- You do not perform any of the forbidden tests (see below)
- You are not conducting a test that leads to an overstepping of the allowed bandwidth for the online offer you are using.
- You only carry out the tests released by IDNT at the times agreed upon with IDNT and observe the additional conditions for the individual tests specified by IDNT as part of the release, if applicable.
- If you suspect a security problem with IDNT services, you will notify IDNT within 24 hours as described in "Report a security issue" and you will not disclose this information to any third party for a period of at least 90 days.
- You are responsible for all damages caused by non-compliance with these regulations.
The following tests are released by us at an accelerated rate:
- Port scans to your IP endpoint addresses
- Fuzz testing of your applications. Fuzz Testing is the manual or automated input of incorrect, invalid or unexpected information into your application.
- All tests used to detect the OWASP Top 10 Web Security Vulnerabilities.
It is prohibited to perform any denial of service tests or other tests that demonstrate or simulate the presence of a denial of service.
Protection of privacy
Request Penetration Test »