Penetration test policy
Data and infrastructure security is a priority for VK Cloud. Consumers of cloud services can independently or with the help of contractors test the security of their applications and resources hosted in VK Cloud.
Penetration testing allows you to identify vulnerabilities, assess the effectiveness of protection, predict risks, create an incident response plan, and confirm compliance with security standards. The penetration testing policy describes the conditions and procedures for conducting such tests.
To conduct penetration tests, review the test conditions and submit a testing request.
For additional advice, contact the VK Cloud security team at CloudSecurity@vkteam.ru.
This policy applies to all public VK Cloud services and infrastructure. It is intended for customers (consumers of cloud services) who wish to conduct security testing of their applications and resources hosted in VK Cloud.
-
Prior notification and approval:
- Submit a request to conduct penetration testing. Preparing for testing will take at least 10 business days.
- VK Cloud reserves the right to approve or reject the request to conduct tests.
-
Areas allowed for testing:
- Customers may only conduct testing on their own resources and data.
- Testing of shared VK Cloud infrastructure components such as networks, databases, storage, and management systems is prohibited. Testing such components may affect other users.
- Testing of services provided by VK Cloud as SaaS solutions is prohibited.
-
Testing methods:
- Only testing methods that do not harm the infrastructure and data of other customers are allowed.
- The use of methods that may cause denial of service (DoS/DDoS), cloud service disruptions, or compromise of other customers' data is prohibited.
- Customers are required to comply with all applicable laws and regulations during testing.
-
Responsibility and accountability:
- Customers bear full responsibility for the consequences of conducting penetration tests.
- If testing reveals vulnerabilities in VK Cloud public services or infrastructure, the customer is obligated to notify VK Cloud immediately at CloudSecurity@vkteam.ru.
-
Data privacy and security:
- All information obtained during testing shall be treated as confidential.
- Customers agree not to disclose information concerning VK Cloud's infrastructure and security to third parties.
- Write to CloudSecurity@vkteam.ru and specify:
- goals and scope of the testing
- a list of IP addresses, domain names, and other resources to be tested
- anticipated testing methods and tools
- contact details for the team conducting the testing on your side
- Receive confirmation and approval of the request from the VK Cloud team.