Penetration Testing Policy

Effective Date: 01 July 2019

If you have a paid Auth0 subscription, you may conduct a security test of your application involving Auth0 infrastructure (e.g. your-tenant.auth0.com) with prior approval.

To conduct a security test, please notify us in advance via the Support Center. Auth0 requires at least 7 days notice prior to your test's planned start date.

If the test is isolated to your infrastructure (that is, there will be no testing of Auth0 services), you do not need to notify Auth0.

Please provide the following information in the support ticket when requesting approval for testing:

• The specific dates/times of the test and timezone. Tests are not allowed during a change freeze period. To learn more, read the change freeze penetration testing policy below.

• Scope and purpose of the test

• IP address(es) the test will come from

• Tooling that is planned to be used

• Request per second (the test must be conformant with the Rate Limit Policy)

• The Auth0 tenant(s) involved

• Two contacts - phone number and email -  who will be available during the entire test period in case we need to contact you. If we have any questions, we will make a reasonable attempt to contact you. If you cannot be reached, we reserve the right to take measures to protect the service, which may include shutting down or blocking your tenant and/or the source of the intrusion traffic.

• Penetration tests are not allowed during orange and red change freezes.

• Approved tests scheduled to occur during an ad hoc change freeze will be rescheduled and clearly communicated.

• Auth0 may grant exceptions in extenuating circumstances.

Auth0 requires that:

• The test be restricted to only your tenant

• The test requests per second must not exceed rates defined in our Rate Limit Policy

• You disclose any suspected findings to the Auth0 Security team for explanation/discussion

• You understand that your tenant will be moved between environments during testing. Auth0 will move your tenant from the Production environment to the Preview environment before the testing commences. Auth0 will then return your tenant to the Production environment once the testing period ends. Note that while your tenant is on the Preview environment it may receive updates more rapidly.

To report any vulnerabilities identified, kindly send us an email to security@auth0.com. The PGP key to encrypt the email or report can be found at https://auth0.com/security.

• You may not conduct any load testing (such as Denial of Service testing) per the load testing policy.

• You may not conduct any penetration testing targeting our management dashboard. Management and Authentication APIs are allowed.

• You may not conduct any penetration testing targeting tenants that we have not approved.

Private Cloud customers should also request permission to run a penetration test via the Auth0 support center. Please include the information listed above with your support request.

• Load Testing Policy