Security Testing Policy: Requirements for Vulnerability Scanning and Penetration Testing

• Permitted Scope: This policy applies exclusively to Security Testing activities directed only at the specific websites, applications, servers, and services (Targets) owned or leased by the requesting client and hosted within their designated environment on the WPCloud.ca platform.

• Prohibited Scope: Testing activities must NOT target:
• WPCloud.ca's core infrastructure, network devices, management interfaces, APIs, or control panels.
• Any websites, applications, servers, or data belonging to other WPCloud.ca clients.
• Any third-party services integrated with but not directly hosted by WPCloud.ca for the client (unless separate authorisation from that third-party is obtained and provided).
• Physical security of WPCloud.ca data centres or offices.

• Client Information:
• Client Company Name
• Primary Business Contact (Name, Email, Phone)
• Primary Technical Contact (Name, Email, Phone)

• Testing Organization Information (if using a third-party):
• Testing Company Name
• Testing Company Primary Contact (Name, Email, Phone)

• Testing Details:
• Target(s): Specific URLs, FQDNs (Fully Qualified Domain Names) & (must be within the client's hosted services).
• Proposed Timeline: Exact start and end dates and times (including time zone, e.g., EDT/EST) for the testing window. Specify the total duration. Testing outside the approved window is prohibited.
• Source IP Addresses: A complete list of static public IP addresses from which all testing traffic will originate. This information is required for monitoring purposes and incident response, not for default whitelisting (see Section 5). Dynamic IPs are generally not suitable for authorised testing.
• Testing Scope and Methodology: A clear description of the types of tests to be performed (e.g., black-box, grey-box, vulnerability scanning, application-level testing). Specify tools intended for use (e.g., Nessus, Nmap, Burp Suite). Explicitly state if simulated phishing or social engineering targeting the client's users/application is planned. State clearly that Denial of Service (DoS/DDoS) testing is not permitted (see Section 6).
• Emergency Contact: Contact information (phone number) for the testing team lead, available 24/7 during the testing window.

• Confirmation: A statement confirming the client and any third-party tester have read, understood, and agree to abide by this WPCloud.ca Security Testing Policy and the WPCloud.ca AUP.

• Stay Within Scope: All testing activities must be strictly limited to the authorised targets and scope defined in the approved request.

• Approved Time Window: Testing must only occur during the approved dates and times.

• Minimize Disruption: Testers must make reasonable efforts to minimize the impact on service performance and availability. Automated scanning tools should be configured to run at a reasonable speed/intensity. If testing causes performance degradation impacting other clients or the platform, WPCloud.ca may require the testing to stop or be rescheduled.

• Data Handling: Avoid accessing, modifying, downloading, or destroying WPCloud.ca or other clients' data. If sensitive data is encountered during testing, testers must immediately cease activity in that area and report it (see Section 7). Exfiltration of data should be limited to the minimum necessary to demonstrate a vulnerability (e.g., system banner, file listing) and must not include sensitive or client data.

• No Destructive Testing: Tests designed to intentionally degrade, damage, or destroy systems or data are strictly prohibited.

• No Social Engineering (WPCloud.ca): Attempts to trick or manipulate WPCloud.ca employees are prohibited.

• Monitoring: WPCloud.ca reserves the right to monitor all testing activities. We may block or null-route testing traffic if it violates this policy or poses a threat to our infrastructure or other clients (see Section 6).

• Default Policy: No Whitelisting: To ensure Security Testing accurately reflects real-world attack scenarios and validates the effectiveness of WPCloud.ca's standard security controls (including firewalls, WAFs, intrusion detection/prevention systems), source IP addresses provided by the client will NOT be whitelisted by default. Testing against our active defences is a critical part of assessing true security posture. Testers should expect that certain activities may be blocked, rate-limited, or trigger alerts; this is a valid outcome of the test and indicates defences are working.

• Exceptions: In rare, specific circumstances where the goal is solely to test application-layer vulnerabilities without interference from network-level defences (e.g., after an initial external test has been completed and network defences validated), limited-duration whitelisting may be considered. Such requests must be explicitly included in the initial Security Testing Request with a strong justification outlining why bypassing standard defences is necessary for the specific test objective. Approval for whitelisting is at WPCloud.ca's sole discretion and is not guaranteed.

• Monitoring: Even if an exception for whitelisting is granted, WPcloud.ca will still monitor traffic from the source IPs for abuse or policy violations.

• Denial of Service (DoS) / Distributed Denial of Service (DDoS): Any form of DoS or DDoS attack simulation or execution.

• Testing Outside Approved Scope: Targeting systems, applications, or data not explicitly approved.

• Testing Outside Approved Time Window: Conducting tests before the start or after the end of the authorised period.

• Testing Shared Infrastructure: Targeting WPCloud.ca core systems, networks, or other clients.

• Destructive Testing: Intentionally damaging systems or data.

• Unauthorised Data Access/Exfiltration: Accessing, modifying, or exfiltrating data beyond the minimum required to prove a vulnerability, especially sensitive or customer data.

• Social Engineering: Targeting WPCloud.ca staff.

• Exploiting Vulnerabilities Beyond Proof-of-Concept: Actively exploiting a vulnerability to pivot, escalate privileges excessively, or exfiltrate significant data is prohibited unless explicitly authorised for a specific, agreed-upon scenario.

• Excessive Load: Performing scans or tests at a volume or intensity that causes significant performance degradation to the shared infrastructure or other clients.

• Failure to Cease Activity: Not stopping testing immediately upon request from WPCloud.ca staff.

• Violating the WPCloud.ca AUP.

• Immediate termination of the authorised Security Test.

• Blocking or null-routing of source IP addresses involved in the violating activity.

• Suspension or termination of the client's hosting services with WPCloud.ca, in accordance with the AUP.

• The client will be held liable for any damages incurred by WPCloud.ca or its other clients as a result of the policy violation. This includes costs associated with incident response and service restoration.

• Reporting of illegal activities to appropriate law enforcement authorities.

• Immediate Notification: The client or their tester must immediately notify WPCloud.ca support@wpcloud.ca and any provided emergency contact) if they discover a critical vulnerability that could impact the core WPCloud.ca infrastructure or other clients, or if the testing inadvertently causes a service disruption or significant performance issue.

• Test Report Sharing: The client agrees to share relevant sections, or preferably the full report, of the Security Test findings with WPCloud.ca within five (5) business days of the report's completion. This helps both WPCloud.ca and the client understand and address any identified risks, particularly those related to the hosting environment configuration. WPCloud.ca will treat shared reports as confidential client information.

• The client assumes all responsibility and liability for the actions of their employees or any third-party testing organization acting on their behalf.

• The client is responsible for any damage to their own services, applications, or data resulting from their Security Testing activities.

• WPCloud.ca is not liable for any direct or indirect damages, service interruptions, or data loss incurred by the client as a result of the client's authorised Security Testing, provided WPCloud.ca actions align with this policy.

• The client agrees to indemnify and hold harmless WPCloud.ca, its employees, agents, and affiliates against any claims, damages, losses, liabilities, or expenses (including reasonable legal fees) arising from the client's or their tester's violation of this policy, the AUP, or applicable laws during Security Testing.