Generally, no. Most of the buffoonery that calls itself "penetration testing" is just an attempt to compromise the security and/or availability of our service and/or a member site. We take an extremely dim view of that. It's also a federal crime. We respond to unauthorized "penetration testing" just as we would for any other hacking attempt. That's anything from blocking source IPs from accessing our network up to and including contacting the relevant authorities, pressing charges, and seeking civil damages if appropriate.
If we find that unauthorized penetration testing was done with a member's cooperation or at a member's direction, that membership will be terminated without warning or refund.
If you wish to perform authorized penetration testing (or, in most cases, have it performed by qualified professionals), it can be arranged, but the cost is considerable and you must meet significant requirements:
- You must be a subscription member to even discuss the possibility, and the relevant site must be a critical site. If your site is important enough to require this, that should be the case anyway.
- You must submit a detailed written test plan to us and obtain our approval before testing.
- You must submit a certificate of insurance demonstrating applicable coverage both for general liability and professional liability / E&O appropriate for the work you will be performing. The certificate must show current coverage with a per-incident limit of at least $1,000,000 and reflect NFSN, Inc. as an additional insured.
- You must agree in writing to share the complete test results with us.
- You must schedule all testing at an off-hours time acceptable to us when we can have an engineer available to monitor it. You will be expected to cover all costs associated with that, including overtime, if applicable.
- You must provide the source IP address(es) for all testing ahead of time. Be aware that the engineer monitoring the test will not hesitate to block the test if any activity negatively impacts any site other than the one being tested. You should also anticipate that every packet will be logged.
If you fail to abide by these requirements or agree to them and fail to follow them, authorization for future tests is unlikely to be granted. This includes testing outside approved hours, material deviation from the approved test plan, or failure to provide results after performing a test.
These requirements are onerous and reflect that penetration testing is a risky practice that must only be undertaken by skilled, qualified professionals after careful planning. (And yes, people with a legitimate need can and do meet these requirements.) If the firm you hire to perform the test balks at these requirements, they are not qualified. If you have a legitimate need, please feel free to contact us; we can direct you to qualified firms.
If these requirements are too onerous, or if the cost is too high (which would be odd; while substantial by our standards, they will be a rounding error compared to the cost of having a proper test performed), that is a good sign that your site is not appropriate for penetration testing.
We do regularly perform and have others perform penetration tests on our own network to ensure that our service is as secure as possible and to meet compliance requirements. No access to member websites occurs during these tests, but representative sites managed by us are thoroughly tested in addition to our own production sites.