This page provides recommendations and explains the limitations for Security Testing against Oracle On-Premises Products (software and hardware systems) managed by customers and typically deployed in a data center under their control. It also applies to testing performed by third parties on the customer’s behalf. You should review the “Helping you determine the applicable Security Tests limitations” section of the Overview page to determine if the limitations listed below apply to your intended Security Tests.
Oracle encourages customers to periodically perform security testing in the environments they control and periodically assess their security posture. Common security testing activities performed by customers against On-Premises Products include, but are not limited to:
Generally, Oracle Products Agreements do not prohibit a customer from conducting Security Tests of its Oracle On-Premises Products as part of its use of such Products in furtherance of its internal business operations. However, to the extent permitted by the applicable Oracle Products Agreement, any such testing of an Oracle Software must comply with usage restrictions specified in such agreement, which typically include prohibitions on:
For testing limitations applicable to specific Oracle On-Premise Products, customers should review the terms and conditions of the Oracle Products Agreements under which they have acquired the subject products.
It is not always possible or recommended to perform testing activities (for example, penetration testing) against production environments as these activities can negatively impact the environment being tested. For example, testing activities may result in outages, degradation of performance, loss of data integrity.
When performing security testing against a dedicated test environment Oracle recommends that:
The Oracle recommendations on this page constitute general suggestions, and may not be complete or applicable to your specific deployment of On-Premise Products. Except to the extent otherwise specified in an Oracle Cloud Agreement under which you have engaged Oracle to manage your On-Premise Products deployed in an Oracle Cloud Service, you remain solely responsible for selecting how to test and determine the security of your Oracle On-Premise Products.
If you believe you have identified an original security vulnerability in an Oracle On-Premises Product, you can report your finding to Oracle using the process documented at How to Report Security Vulnerabilities to Oracle.
Note that many vulnerability scanning tools do not accurately identify the versions of third-party components or open-source components used in Oracle product distributions. As a result, these tools may provide a list of known vulnerabilities (identified by their CVE identifiers) allegedly present in your Oracle product deployment. Oracle recommends that you visit the Critical Patch Updates, Security Alerts and Bulletins page to determine if these findings accurately apply to the versions of the Oracle products you are testing. The My Oracle Support article “Security Vulnerability FAQ for Oracle On-Premises Products” explains how to determine if a published CVE affects your Oracle product.
Subject to the terms of the applicable Oracle Products Agreement, customers can opt to operate Oracle On-Premise software products in third-party cloud environments. Security Tests of the On Premises Products are then subject to the terms described on this page, and may be subject to additional testing restrictions pursuant to the customer’s agreement with the applicable third-party cloud provider.
注:为免疑义,本网页所用以下术语专指以下含义: