|
| 1 | +--- |
| 2 | +pcx_content_type: reference |
| 3 | +title: Scans and penetration testing policy |
| 4 | + |
| 5 | +--- |
| 6 | + |
| 7 | +Customers may conduct scans and penetration tests (with certain restrictions) on application and network-layer aspects of their own assets, such as their [zones](/fundamentals/setup/accounts-and-zones/#zones) within their Cloudflare accounts, provided they adhere to Cloudflare's policy. |
| 8 | + |
| 9 | +- **Permitted targets** - all scans or testing must be limited to the following: |
| 10 | + |
| 11 | + - Customer-owned IPs, |
| 12 | + - Cloudflare's designated public IPs, or |
| 13 | + - The customer's registered DNS entries. |
| 14 | + |
| 15 | +Targets like `*.cloudflare.com` or other Cloudflare-owned destinations are only allowed as part of Cloudflare's Public Bug Bounty program. Refer to the [Additional Resources](#additional-resources) section for more information. |
| 16 | + |
| 17 | +### Scanning |
| 18 | + |
| 19 | +- **Throttling**: Scans should be throttled to a reasonable rate to prevent disruptions and ensure stable system performance. |
| 20 | +- **Scope and intent**: Scans should identify the presence of vulnerabilities without attempting to actively exploit any detected weaknesses. |
| 21 | +- **Exclusions**: It is recommended to exclude [`/cdn-cgi/` endpoints](/fundamentals/reference/cdn-cgi-endpoint/) from scans to avoid false positives or irrelevant results. |
| 22 | +- **Compliance checks**: Customers may conduct [PCI compliance scans](/fundamentals/basic-tasks/pci-scans/) or verify that [known vulnerabilities](/ssl/reference/compliance-and-vulnerabilities/#known-vulnerabilities-mitigations) have been addressed. |
| 23 | + |
| 24 | +### Penetration testing |
| 25 | + |
| 26 | +- **Network behavior**: |
| 27 | + - Cloudflare's [anycast network](/fundamentals/concepts/how-cloudflare-works/) will report ports other than `80` and `443` as open due to its shared infrastructure and the nature of Cloudflare's proxy. This is expected behavior and does not indicate a vulnerability. |
| 28 | + - Tools like Netcat may list [non-standard HTTP ports](/fundamentals/reference/network-ports/) as open; however, these ports are open solely for Cloudflare's routing purposes and do not necessarily indicate that a connection can be established with the customer's origin over those ports. |
| 29 | +- **Known false positives**: Any findings related to the [ROBOT vulnerability](/ssl/reference/compliance-and-vulnerabilities/#return-of-bleichenbachers-oracle-threat-robot) are false positives when the customer's assets are behind Cloudflare. |
| 30 | +- **Customer security review**: During penetration testing, customers should be aware of the Cloudflare security and performance features, configurations, and rules active on their account or zone. After completing the test, it is recommended that customers review their security posture and make any necessary adjustments based on the findings. |
| 31 | + |
| 32 | +Customers can download the latest Penetration Test Report of Cloudflare via the [Dashboard](/fundamentals/reference/policies-compliances/compliance-docs/). |
| 33 | + |
| 34 | +### Denial-of-Service (DoS) testing |
| 35 | + |
| 36 | +For guidelines on required notification and necessary information, refer to Cloudflare's documentation [Simulating DDoS Attacks](/ddos-protection/reference/simulate-ddos-attack). Customers should also familiarize themselves with Cloudflare's [DDoS protection best practices](/ddos-protection/best-practices/). |
| 37 | + |
| 38 | +### Additional Resources |
| 39 | + |
| 40 | +For information about Cloudflare's Public Bug Bounty program, visit [HackerOne](https://hackerone.com/cloudflare). |
![hyperlint-ai[bot]](https://avatars.githubusercontent.com/in/718456?v=4&size=40){kind=avatar}
0 commit comments