Penetration testing on Vercel

Learn how to perform pentesting on Vercel.
Last updated on November 25, 2024
Security

When you host a website online, you should perform security assurance to protect your company and your customers. One common method is to conduct “penetration testing” — simulating attacks on your website to identify security weaknesses.

Penetration testing is authorized for both Pro and Enterprise customers.

This is not permitted for Hobby users. For more information, please consult our Fair Use Guidelines.

Pro and Enterprise customers are permitted to test their own applications hosted on Vercel. However, customers must not target the underlying hosting infrastructure and platform.

Vercel performs continual security assurance activities against our underlying platform, including penetration testing. Recent pentest reports are available to our Pro and Enterprise customers at https://security.vercel.com.

Only Enterprise customers can perform volumetric penetration testing (e.g. sending a large number of requests from an automated scanner), and you must notify Vercel in advance through your Customer Success Manager.

Volumetric testing has some crossover with load testing, which you can read more about in What is Vercel's policy regarding load testing deployments.

Both Pro and Enterprise customers can perform non-volumetric penetration testing without notifying Vercel in advance.

Consider how penetration testing might affect your downstream suppliers (e.g. backend or database hosting providers), and obtain consent from all relevant parties.

We recommend that you set any IP addresses used for penetration testing to Bypass in your project's WAF configuration to ensure no other user-configured rules block the testing activity. This configuration does not currently bypass Vercel's platform-level protections.

Customers are responsible for all variable costs associated to penetration testing activities (e.g. Fast Data Transfer, Function Invocations, Edge Config reads).