Rules for performing of External Security Scans

This document constitutes terms of use of certain Yandex.Cloud Services and forms an integral part of the Yandex.Cloud Customer Agreement (“Agreement”) and sets the procedure for External Security Scans by Customer.

Capitalized terms used herein but not defined herein shall have the same meanings set forth in Agreement or Linked Documents.

Customers, which store their own software at Platform, may conduct External Security Scans for it. External Security Scans may be performed by Customer independently or by Customer’s contractors for whom Customer remains liable for theirs acts and/or omissions as if they were his or her own. In order to perform External Security Scan, it is necessary to obtain permission from Yandex Information Security Service in Management Console through the technical support.

Conditions for performance of External Security Scans:

  • External Security Scan (the "Testing") can only be performed against order or by Customer with an active payment account;
  • Testing should not be aimed at any other resources of other Yandex customers or any common components of the Platform infrastructure;
  • It is strictly forbidden to use any tool in such a way that they perform the following:
    • DDoS attacks L3/L4 or its imitation,
    • TCP SYN Flood / UDP Flood / ICMP Flood / spoofed packet DDoS or simulation,
    • Fragmented UDP / ICMP / TCP (Teardrop),
    • ICMP Smurf,
    • Amplification attacks (DNS / NTP / LDAP / memcached, etc.).
  • Any port must be scanned non-aggressively;
  • It is forbidden to access the media or data of other customer or to execute any container escape attacks (e. g. a Virtual Machine escape);
  • Testing must not violate the terms and conditions of Agreement according whereto Customer has acquired access to Platform;
  • If a testing company or Customer believes to have discovered a potential security issue related to Platform, Customer must report this to technical support within 24 hours;
  • In case of unintentional access to Content of other customer by the testing company, such testing company shall immediately stop Testing and inform Yandex thereof within one hour;
  • Customer shall be liable for any damage caused to Yandex or other customers of Platform, as caused by Testing due to failure to comply with these rules or provisions of Agreement.

Any extra matters may be discussed with the Yandex technical support under the proposal approval process.

In order to obtain permission for External Security Scan, Customer needs to:

1. request for "External security scan questionnaire" (Questionnaire) from Yandex technical support;

2. complete and send the Questionnaire to technical support;

3. wait for the confirmation of Questionnaire approval by Yandex Information Security Service.

Yandex may deny Customer to execute External Security Scan for any reason.

External Security Scan is performed by Customer entirely at his own expense, Yandex is not liable for potential damages and losses of Customer's Content due to External Security Scan.

Yandex Services AG

Web address: https://yandex.com/legal/cloud_pentest

Date of placement: April 24, 2020

Effective date: May 04, 2020