Guidelines for penetration tests

BlueConic recognizes the need for our customers to run periodic penetration tests. Advance permission from BlueConic is required, however, because penetration testing is frequently indistinguishable from prohibited security violations and application/network abuse.

Authorization for penetration tests from BlueConic

Permission can be requested by emailing support@blueconic.com with the following information:

  • What BlueConic environment you want to test
  • Expected start and end dates/times
  • What type of tests will be run

We will respond to the request within 48 hours by email. When such a request is initiated, we (BlueConic) must request permission for the penetration test from Amazon Web Services (AWS), who must grant permission before the test can take place. Information shared with us will always be kept confidential with BlueConic. 

If accepted, you may conduct your testing through the conclusion of the period indicated. If you need more time for additional testing, reply to the mail asking to extend your test period to the new date. We must again request permission from AWS at this point, and the extension is not authorized until a new confirmation is received from us.

To prevent potential adverse performance impacts on resources you may be sharing with others:

  • Penetration tests can only be done on the specified BlueConic environment
  • (D)DOS tests are not permitted

If suspected vulnerabilities are found, please report this using https://support.blueconic.com/hc/en-us/articles/201606001-Reporting-a-vulnerability

Please be aware that BlueConic utilizes AWS, who have their own policies: