Last Updated: Jul 16, 2024
Overview
Customers that have a paid Auth0 subscription may conduct a security test of their application involving Auth0 infrastructure (e.g., tenant-name.auth0.com) with prior approval.
Applies To
- Security Test
- Vulnerability scan
- Vulnerability Assessment
- Penetration Test
- Self-Service Subscription
- Enterprise Subscription
Solution
To conduct a security test, please notify us via the Support Center in advance. Auth0 requires at least 7 days notice prior to the test’s planned start date.
Information required
Please provide the following information in the support ticket when requesting approval for testing:
- The specific dates/times of the test and timezone. Tests are not allowed during a change freeze period. To learn more, read the change freeze penetration testing policy below.
- Scope and purpose of the test.
- IP address(es) from which the test will come.
- Tooling that is planned to be used.
- Request per second (the test must be conformant with the Rate Limit Policy).
- The Auth0 tenant(s) involved.
- Two contacts - phone number and email - who will be available during the entire test period in case contact from us will be needed. If we have any questions, we will make a reasonable attempt to contact you. If you cannot be reached, we reserve the right to take measures to protect the service, which may include shutting down or blocking your tenant and/or the source of the intrusion traffic.
NOTE:
- Penetration tests are not allowed during change freezes.
- Approved tests scheduled to occur during an ad hoc change freeze will be rescheduled and clearly communicated.
- Auth0 may grant exceptions in extenuating circumstances.
Related References
- Further information can be found here: Penetration Testing Policy.