Penetration testing your service behind Fastly
Last updated 2018-05-30
We understand the need for our customers to validate the security of their service behind Fastly.
Penetration tests that interfere with or disrupt the integrity or performance of Fastly services violate our acceptable use policy. You must respond immediately to any communication from Fastly regarding your test to help ensure your testing does not adversely affect other customers or the Fastly network.
To perform security testing of your Fastly service configurations, create a Customer Support ticket by contacting Fastly via email at email@example.com at least two (2) business days before you begin any security testing. In your ticket, include these details:
- the IDs of the services that will be tested
- the source IP address of the test
- the date of the test
- the start and end time of the test, including the time zone
- the contact information for the individual or third party performing the test, including a phone number and e-mail address
- whether or not the security test is likely to lead to significantly increased traffic volume
The following requirements apply to any security testing you perform:
- Only test Fastly services you own or are authorized by the owner to test. You may not perform tests against other customers without explicit permission or against Fastly-owned resources.
- Do not begin testing until after Fastly has responded affirmatively to your ticket and authorized your request.
- Update the ticket if either the scope or timeframe of your testing changes.
- If you discover vulnerabilities in the Fastly platform during your test, update the ticket with your findings as soon as possible so we can address them.
We welcome security professionals researching potential vulnerabilities in our network under our guidelines for reporting a security issue.