Rules for performing of External Security Scans

This document constitutes terms of use of certain Yandex.Cloud Services and forms an integral part of the Yandex.Cloud Customer Agreement (“Agreement”) and sets the procedure for External Security Scans by Customer.

Capitalized terms used herein but not defined herein shall have the same meanings set forth in Agreement or Linked Documents.

Customers, which store their Content in Services, mentioned below, may conduct vulnerability scans, penetration tests, as well as other tests aimed at finding performance problems or confirming compliance with operating conditions with pre-defined requirements (hereinafter – External Security Scans). External Security Scans may be performed by Customer independently or by Customer’s contractors for whom Customer remains liable for theirs acts and/or omissions as if they were his or her own.

Conditions for performance of External Security Scans:

  • External Security Scan can only be performed against order or by Customer with an active payment account;
  • It is strictly forbidden to use any tool in such a way that they perform the following:
    • DDoS attacks L3/L4 or its imitation,
    • TCP SYN Flood / UDP Flood / ICMP Flood / spoofed packet DDoS or simulation,
    • Fragmented UDP / ICMP / TCP (Teardrop),
    • ICMP Smurf,
    • Amplification attacks (DNS / NTP / LDAP / memcached, etc.).
  • Any port must be scanned non-aggressively;
  • It is forbidden to access the media or data of other customer or to execute any container escape attacks (e. g. a Virtual Machine escape);
  • External Security Scan must not violate the terms and conditions of Agreement according whereto Customer has acquired access to Platform;
  • In case of unintentional access to Content of other customer by the testing company, such testing company shall immediately stop External Security Scanand inform Yandex thereof within one hour;

External Security Scan may be carried out exclusively with respect to Content located on the Platform within the following Services:

  • Yandex Compute Cloud
  • Managed Service for PostgreSQL, ClickHouse, MySQL®, Redis™, MongoDB, Elasticsearch, Apache Kafka®, Yandex Database, Greenplum ®, Data Proc
  • Yandex Object Storage
  • Yandex API Gateway
  • Yandex Load Balancer
  • Yandex Application Load Balancer
  • Yandex Cloud CDN
  • Yandex Cloud Functions
  • Yandex Data Transfer
  • Yandex Container Registry
  • Yandex Managed Service for Kubernetes®
  • Yandex Serverless Containers

External Security Scans of third-party resources

If you are Customer and provider of scanning and/or security analysis services by using the Platform, then in order to provide such services, it is necessary to coordinate the declared activity with Yandex representatives, as well as to obtain the approval of the person with respect to whose External Security Scan is planned. The application must be sent to the Yandex support service - cloud@support.yandex.ru no later than 2 (two) weeks before the start date of the External Security Scan.

In the application you must specify:

  • description of activities and/or planned activities;
  • account ID and services that you plan to use during the work;
  • external IP addresses from which the work will be carried out;
  • time periods of work;
  • contact information for operational communication, including phone number.

Within 5 (five) working days from the date of submission of the application, you will receive an individual response to your application.

If, during External Security Scans, Customer or a person engaged by Customer encounters any vulnerability in any of Services, Customer is obliged to immediately contact the support service - cloud@support.yandex.ru.

If, during the External Scanning process, Customer or the person performing the External Security Scan has become available to the Content of the Customer or a third party – the Customer, as well as the person involved by Customer, must immediately contact the support service - cloud@support.yandex.ru , as well as to terminate access to such Content.

Customer and the person engaged by Customer guarantee that they will not access the Content of third parties and use it in any way. In case of violation of this guarantee, Customer undertakes to compensate for all losses of Yandex and the third party to whose Content access was obtained caused by the actions of the Customer or person engaged by Customer.

Any extra matters may be discussed with the Yandex technical support.

External security scanning is performed by Customer entirely at his own expense, Yandex is not liable for potential damages and losses of the Customer’s Content, as well as damage incurred by Customer in connection with External Security Scan.

Yandex has the right without prior notice to block Customer's account or virtual machine from which actions that violate these Rules for performing of External Security Scans are performed.

If any claims are presented to Yandex as a result of the External Security Scans, the Customer who initiated the External Security Scan undertakes to compensate Yandex for the losses caused, as well as to assist in the settlement of such dispute.

Intertech Services AG / Iron Hive doo Beograd

Web address: https://yandex.com/legal/cloud_pentest

Date of placement: June 20, 2023 / November 1, 2023

Effective date: June 20, 2023 / November 1, 2023

Previous version of the document: https://yandex.com/legal/cloud_pentest/04052020