Skip to main content Skip to section navigation
U.S. flag

An official website of the United States government

Penetration and load test notification

Table of Contents

If you, or an authorized third party, plan to perform a penetration test or load test of your system on Cloud.gov, please send the following to Cloud.gov support:

* System under test: 
    (Examples would include:
    _webapp_.agency.gov or _webapp_.app.cloud.gov
    _site_.agency.gov or preview_url.pages.cloud.gov)
* Testing organization and contact information:
* Source IPs or IP ranges (for testers and their tools):
* Expected start date, (or "starting immediately"):
* Expected end date:
* Expected maximum load requests per minute (for load testing only):
* Acknowledgement that you are abiding by the terms at https://cloud.gov/docs/compliance/pentest/

The “system under test” is one of:

  • Cloud.gov Platform: your application at application-name.app.cloud.gov, or your external domain (e.g. https://agency.gov)
  • Cloud.gov Pages: your website at your preview URL (at sites.pages.cloud.gov), or your external domain (e.g. _site_.agency.gov)

“Maximum load” must be limited to maximum reasonably expected load, e.g., “What might we expect the hour before filing deadline?” or “What if we trend on social media after we launch?”

You don’t need an approval, and Cloud.gov doesn’t provide approvals. Simply sending the notification is sufficient.

You can always run routine automated vulnerability scans on your own applications without special notification.

Testing considerations

Pentesting: When testing Cloud.gov Platform systems, you can also conduct testing of:

  • Your application instance via cf ssh
  • Your brokered services either directly or via cf ssh or ssh proxy.

Infrastructure changes: We do NOT make infrastructure changes to accommodate any tests, since you’re to test under realistic conditions. Load testing from a single IP instance will likely be rate-limited, and not reflect performance under realistic conditions.

Exclusions

All Cloud.gov products are under regular testing by our team, and by third-party assessors, as part of our Continuous Monitoring plan. FedRAMP® makes the results available to authorized users. Additional testing by your team is not warranted nor authorized.

You are not permitted to attempt any scanning or reconnaissance from your instances or brokered services.

You are not permitted to test the Cloud.gov infrastructure, which comprises the following sites and web applications:

    https://pages.cloud.gov 
    https://pages-staging.cloud.gov 
    https://cloud.gov
    https://*.fr.cloud.gov

Your assessment must not target other Cloud.gov customers, nor perform or simulate denial of service attacks or otherwise violate the Amazon AWS testing policy.

Notifications

If you suspect that you have uncovered a vulnerability in any of Cloud.gov’s products, please reference our security.txt

cloud.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov