CoreWeave Customer Asset Penetration Testing Policy
At CoreWeave, the security and integrity of our cloud infrastructure and services are critical to our customers and we take that responsibility seriously. We recognize that our customers may wish to conduct penetration testing on their own cloud environment and systems or services hosted on the CoreWeave platform. To facilitate these activities CoreWeave's Platform Security team has established this Penetration Testing Policy to outline the guidelines for conducting such tests safely and in adherence with CoreWeave's terms of service.
Conducting a Penetration Test on CoreWeave infrastructure
CoreWeave customers may perform penetration testing on their own cloud infrastructure without prior authorization from CoreWeave, as long as the testing is within the scope of their own cloud environment and such testing does not impact CoreWeave systems or services.
Customers may not conduct stress-testing or any disruptive testing that could potentially affect the confidentiality, integrity, or availability of CoreWeave systems, or other CoreWeave clients' infrastructure or data, without obtaining written permission from CoreWeave Platform Security.
Customers who wish to perform potentially intrusive or disruptive testing must request permission to do so by emailing [email protected] at least 14 calendar days before testing is scheduled to commence, and the permission must be granted before any testing can begin.
We strongly encourage our customers to use industry-recognized methodologies, such as the Penetration Testing Execution Standard (PTES), to conduct application and system-level penetration testing. Vendors who adhere to these standards are preferred. If requested by the customer, CoreWeave may provide a list of pre-approved vendors who meet our standards.
CoreWeave customers must abide by our Acceptable Use Policy and other Terms of Service during penetration testing. Any violation of these policies may result in the immediate suspension of testing and/or termination of services.
Responsible Disclosure
In the event that a vulnerability is discovered during the course of testing, we encourage our customers to responsibly disclose such vulnerabilities to CoreWeave's security team. We request that the results of any vulnerability reports, responsible disclosure discussions, or other interactions related to vulnerability discovery be kept private unless both parties agree in writing to a mutual public disclosure.
CoreWeave's responsible disclosure policy must be followed at all times during the vulnerability disclosure process.
CoreWeave reserves the right to suspend or terminate access to our services for any customer who violates this policy or engages in any behavior that could potentially harm our platform, systems, or clients.
We appreciate our customers' cooperation in maintaining the security and integrity of our platform and services. If you have any questions or concerns regarding this policy, please contact us at [email protected].