Engaging with Oracle Cloud Security Testers

Information for Oracle customers

Oracle customers can engage Third-Party Testers to perform authorized Security Testing against their Oracle Cloud Services and in accordance with this Testing Policy. When the security testing is not to be performed directly by the customers, unless otherwise agreed by Oracle in writing, Oracle requires that customers use a security tester on the “List Of Oracle Cloud Security Testers (PDF).”

See “Oracle cloud” page for a list of applicable limitations for security testing of Oracle Cloud Services.

Oracle has established this requirement for several reasons, including:

  • Providing that the customer has specifically approved the sharing of sensitive information with the organization performing the Security Tests against the customer’s Cloud Service.

  • Facilitating the sharing of technical information between the Third-Party Tester and the Oracle Cloud development and security teams.

  • Ensuring that the Third-Party Tester is not subject to regulatory restrictions or associated with embargoed organizations.

View the List of Security Testers for Oracle Cloud (PDF)

Information for third-party testers

Oracle will not accept unsolicited requests from security testers to be included in the List of Security Testers for Oracle Cloud. Only existing Oracle customers can request that Oracle consider including an additional security tester in the list.

After a customer submits a written request to add a testing organization to the List of Security Testers for Oracle Cloud, Oracle will assess the request, and engage with the testers to discuss operating procedures during testing, tester’s responsibilities, and the conditions to receive public credit for original findings.

Information for Oracle Customers

In addition to satisfying the requirements of this Testing Policy, by using a Third-Party Tester to perform Security Tests of your Cloud Services, you agree to be responsible for the following:

  • The Third-Party Tester’s compliance with the terms and conditions of this Testing Policy and the Oracle Cloud Agreement for your applicable Cloud Services;
  • Procuring the Third-Party Tester to perform your Security Tests in a separate agreement negotiated between you and that third-party;
  • Paying the Third-Party Tester any fees and expenses associated with its performance of your Security Tests;
  • Third-Party Tester’s compliance with procedures for reporting findings;
  • Coordinating with your Third-Party Tester and Oracle throughout the duration of the Security Tests, which includes verifying with the Third-Party Tester as to its availability to conduct the tests during the period agreed to between you and Oracle; and
  • Provisioning and managing the necessary accounts to the Third-Party Tester necessary for its performance of the Security Tests, including (i) obtaining any consents, and providing any notices, necessary to allow the Third-Party Tester to access your Cloud Services and your data therein, as well as (ii) removing such access and conducting any other account-related activities associated with the end of the Third-Party Tester’s services, after the completion or termination of the Security Tests.

Except as permitted by this Testing Policy or otherwise agreed to by Oracle in writing, You may not use any third party, or allow a Third-Party Tester you have engaged to use any third party, to conduct the Security Tests.

注:为免疑义,本网页所用以下术语专指以下含义:

  1. 除Oracle隐私政策外,本网站中提及的“Oracle”专指Oracle境外公司而非甲骨文中国。
  2. 相关Cloud或云术语均指代Oracle境外公司提供的云技术或其解决方案。