Security testing frequently asked questions

Find answers to questions you may have about your Security Testing

Open all Close all
    • Why are there limitations for customer-performed Security Tests in the Oracle Cloud?

      Cloud environments are partially managed by the cloud service provider. Cloud services also leverage technical resources that are shared by different cloud customers. These limitations are intended to help reduce distractions that could compromise our security teams’ ability to monitor the cloud environment and reduce risks for other tenants in the same Oracle Cloud environment.

    • Why does Oracle limit security testing activities to customers and specific third-party testers?

      Oracle has various contractual and legal obligations for the security of the Oracle Cloud Services. For example, in compliance with its legal obligations, Oracle will not allow testing by organizations or individuals under embargo. In addition, Oracle values the contribution of the security research community and has established working procedures with various security organizations to enable an effective sharing of information.

    • What third-party testers can a customer use to perform security testing in the Oracle Cloud Services?

      If the Security Testing in the Oracle Cloud Services is not performed directly by the customers, Oracle requires that customers use a security tester identified in the “List of Security Testers for Oracle Cloud”. Except as permitted by the Oracle Customer Security Testing Policy or otherwise agreed to by Oracle in writing, customers may not use any third party, or allow a Third-Party Tester you have engaged to conduct the Security Tests.

    • Does Oracle have a “bug bounty program”?

      Oracle does not maintain an open bug bounty program at this time.

    • How do I report a security incident to Oracle?
    • Do I need approval before performing security testing against my Oracle Cloud Service?

      See the Oracle Cloud page on this site.

    • Who should I contact if I have questions?

      If you have questions that have not been addressed on this site. you should contact your account representative or Oracle Support through the support mechanism associated with the product you intend to test.

    • Can I perform non-security functional testing to validate features of Oracle Cloud Services?

      The purpose of functional testing is to validate features of Oracle Cloud services to assess whether they meet particular functional requirements or specifications. This is often referred to as black-box testing, regression testing, or unit testing whereby functionality of the application is assessed without the need to scrutinize internal structures or source code.

      You are allowed to perform limited functional testing of Oracle Cloud services:

      • You must not conduct any tests in the production environment. Before deployment, you must test all changes in a test environment.
      • You can perform functional testing using manual or automated tools.
      • You can conduct functional tests to validate the main functions of the Oracle Cloud service to meet business requirements including usability, accessibility, and error handling.
      • You must not use functional testing procedures or tools to test other aspects of the Oracle Cloud service, such as performance, reliability, and scalability.
      • You can conduct unit tests, user-acceptance tests, regression tests, and black-box tests to test the functionality of the Oracle Cloud services.

注:为免疑义,本网页所用以下术语专指以下含义:

  1. 除Oracle隐私政策外,本网站中提及的“Oracle”专指Oracle境外公司而非甲骨文中国。
  2. 相关Cloud或云术语均指代Oracle境外公司提供的云技术或其解决方案。