WSO2 Cloud Penetration Testing Policy

WSO2 understands that you may need to conduct penetration testing in respect of WSO2 Cloud to evaluate its compliance with internal protocols and other standards. We permit such penetration testing subject to the following:

  1. Notification & WSO2 Terms. A request to conduct penetration testing must be submitted for approval to cloud@wso2.com; your request must detail the following as well as any other information that WSO2 may reasonably request from you: your contact information; scope of testing including which of WSO2 Cloud services you wish to target for testing; testing tools; third party contact information (if testing is performed by a 3rd party); source IP addresses (scanning servers); total bandwidth (expected Gbps); region; time zone; start time and date; end time and date. Note that end date can be a maximum of 90 days after the start date. We will acknowledge your request within 2 days.

    We recommend that you provide us with as much detail as possible on the penetration testing you wish to conduct on your initial request, this will expedite both the approval process as well as penetration testing.

    We will confirm whether or not your request is approved within 7 days of your submitting it. If your request is approved, our response, will, among other things, detail the specific terms on which your penetration testing may be conducted. Once you receive our approval you may carry out testing on the agreed terms until the agreed end date.

    We may, following our initial response, request further information and detail further terms on which you must conduct your penetration testing. You must comply with these terms. You must notify us and obtain our prior consent if you wish to vary any of the terms (such as variation of timelines) on which penetration testing has been permitted. Any penetration testing you conduct in respect of WSO2 Cloud will also be governed by the terms and conditions of the agreements you have signed up with us.
  2. Reporting of Issues. You must notify us of all issues detected through the penetration testing you conducted. Notification must be made within 24 hours of detection.
  3. AWS Terms. You understand that WSO2 has engaged with Amazon Web Services to provide WSO2 Cloud services and accordingly, you must comply with the following terms and conditions as applicable to any penetration testing you conduct https://aws.amazon.com/aup/
  4. Subscription. You warrant that you are the owner of the subscription or connection through which you wish to conduct penetration testing, which must, where applicable, be within your specific subscription tier.
  5. Security. Within 24 hours of concluding penetration testing, you must e-mail details of any security or other vulnerability or flaw that you detect to cloud@wso2.com; you must not disclose this vulnerability or flaw to any party.
  6. Queries. Your questions must be directed to:cloud@wso2.com
  7. Damage. You agree that you will not cause any damage or create any risk to WSO2 or to any of our customers through any penetration testing you conduct and that you will fully indemnify WSO2 in respect of any related claims.