Generally, no. Most of the buffoonery that calls itself "penetration testing" is just an attempt to compromise the security and/or availability of our service and/or a member site. We take an extremely dim view of that. It's also a federal crime. We respond to unauthorized "penetration testing" just as we would for any other hacking attempt, ranging from blocking source IPs from accessing our network up to and including contacting the relevant authorities, pressing charges, and seeking civil damages if appropriate. If we find that unauthorized penetration testing was done with a member's cooperation or at a member's direction, that membership will be terminated without warning or refund.
If you do wish to engage in authorized penetration testing, it can be arranged, but the cost is considerable and you must meet significant requirements:
- You must be a subscription member to even discuss the possibility. If your site is important enough to require penetration testing, you should be a subscription member anyway.
- You must submit a detailed written test plan to us and obtain our approval before testing.
- You must submit a certificate of insurance demonstrating applicable coverage both for general liability and professional liability / E&O appropriate for the work you will be performing. The certificate must show current coverage with a per-incident limit of at least $1,000,000 and reflect NFSN, Inc. as an additional insured.
- You must agree in writing to share the complete test results with us.
- You must schedule all testing at an off-hours time acceptable to us when we can have an engineer available to monitor it. You will be expected to cover all costs associated with that, including overtime, if applicable.
- You must provide the source IP address(es) for all testing ahead of time, and should be aware that the engineer monitoring the test will not hesitate to block them if any test activity negatively impacts any site other than the one being tested. You should also anticipate that every packet will be logged.
If you fail to abide by these requirements, or agree to them and fail to follow them (for example if you test outside approved hours, deviate from the approved test plan, or fail to provide results after performing a test), then authorization for future tests is unlikely to be granted.
These requirements are onerous, and reflect that penetration testing is a risky practice that must only be undertaken by skilled, qualified professionals after careful planning. (And yes, people with legitimate need can and do meet these requirements.) If the firm you hire to perform the test balks at these requirements, they are not qualified. If you have a legitimate need, please feel free to contact us; we can direct you to qualified firms.
If these requirements are too onerous, or if the cost is too high (which would be odd; while substantial by our standards, they will be a rounding error compared to the cost of having a proper test performed), that is a good sign that your site is not appropriate for penetration testing.
We do regularly perform and have others perform penetration tests on our own network in order to ensure that our service is as secure as possible. No accesses to member web sites are performed by these tests, but representative sites managed by us are thoroughly tested in addition to our own production sites.