Penetration Testing Policy
If you have a paid Nanonets subscription, you may conduct a security test of your model and API endpoints for your model.
To conduct a security test, please notify us in advance by writing an email to [email protected]. Nanonets requires at least 14 days notice prior to your test's planned start date.
If the test is isolated to your infrastructure (that is, there will be no testing of Nanonets services), you do not need to notify Nanonets.
Please provide the following information in the support ticket when requesting approval for testing:
- The specific dates/times of the test and timezone
- The high level scope of the test
- IP address(es) the scan will come from
- The Nanonets models(s) involved
- Two (2) contacts who will be available during the entire test period in case we need to contact you. If we have any questions, we will make a reasonable attempt to contact you. If you cannot be reached, we reserve the right to take measures to protect the service, which may include shutting down or blocking your model and/or the source of the intrusion traffic.
Nanonets requires that:
- The test be restricted to only your model(s)
- You disclose any suspected findings to the Nanonets Security team for explanation/discussion
- You may not conduct any load testing (such as Denial of Service testing) per the load testing policy.
- You may not conduct any penetration testing targeting our management dashboard. Management and Authentication APIs are allowed.
- You may not conduct any penetration testing targeting models that we have not approved.