Penetration Testing
If you’re a VeriProof customer who needs to conduct penetration testing as part of your own compliance programme — or if you’re a security professional conducting a formal assessment on behalf of a customer — this page describes scope, conditions, and how to engage with us.
Pre-authorisation required. Do not begin penetration testing without written authorisation from VeriProof. Tests that affect shared infrastructure without prior approval may be flagged as abuse and result in account suspension.
What You Can Test
Your Own Tenant, by Default
Enterprise customers may assess VeriProof’s integration endpoints — including the Ingest API and Customer Portal API — as they relate to their own tenant, without prior approval, provided:
- Testing is limited to your own API keys, sessions, and data
- Testing remains within your tenant boundary (no attempts to access other tenants)
- You’re not generating load that could affect other customers (see rate limits below)
This covers most SDK integration testing, authentication verification, and input validation checks that form the normal part of development and QA activities.
Requires Pre-Authorisation
The following testing activities require written approval before starting:
| Activity | Why |
|---|---|
| Automated scanning at scale | Risk of impact to shared infrastructure |
| Load testing or stress testing | Affects all tenants on shared infrastructure |
| Testing of authentication infrastructure (session endpoints, JWT validation) | Touches shared auth surfaces |
| Any testing of Staff Portal endpoints | Not customer-accessible by design |
| Tests designed to probe cross-tenant isolation | Risk of inadvertent data access |
| Fuzzing or abnormal payload testing at high volume | May trigger abuse detection |
| Social engineering or physical security tests | Always out of scope |
Enterprise Federated Customers
If you run an Enterprise Federated deployment in your own Azure subscription, a larger testing surface is available to you because the infrastructure lives in your own environment.
You may test your Enterprise deployment under the following conditions:
- You have written approval from VeriProof for tests affecting Managed Application components
- Tests remain within your own Azure subscription
- You do not attempt to tamper with or extract the Notary signing keys or TEE attestation material
Contact your account manager or email security@veriproof.app to arrange an Enterprise penetration test scope document.
How to Request Authorisation
SaaS / Standard Tier
Send a request to security@veriproof.app with:
- Your organisation name and VeriProof account ID
- The name and organisation of the testing firm (or “internal team”)
- Proposed test window (start date, end date, expected daily hours)
- Testing methodology brief (tools, techniques, scope summary)
- Source IP ranges tests will originate from
- Contact name and number for immediate escalation during the test
We’ll review and respond within three business days with either approval, a modified scope, or a request for more information.
Scope Exclusions
The following are always out of scope, regardless of authorisation:
- Denial-of-service (DoS/DDoS) attacks against any VeriProof infrastructure
- Physical security assessments of VeriProof’s hosting locations (Microsoft Azure data centres)
- Social engineering or phishing attacks targeting VeriProof employees
- Testing third-party services integrated with VeriProof (Azure Key Vault, Solana network, etc.)
- Attacking blockchain infrastructure (Solana validators, RPC nodes)
- Any testing that would modify, delete, or corrupt existing blockchain anchoring records
Rate Limits During Testing
Even with authorisation, tests must stay within fair-use bounds:
| Limit | Value |
|---|---|
| Max sustained request rate | 100 req/s per tenant |
| Max Ingest API calls during test window | 50,000 per day |
| Max concurrent connections | 50 |
Exceeding these limits — even with authorisation — may trigger automated abuse mitigation. If your testing methodology requires higher volumes, discuss this in your pre-authorisation request and we’ll provide dedicated test credentials with modified limits.
Reporting Issues Found During a Pentest
Any vulnerabilities discovered during an authorised penetration test should be reported through the same channel as responsible disclosure:
- security@veriproof.app
- Include your authorisation reference number in the subject line
We’ll apply the same response SLAs as for unsolicited disclosures. See Responsible Disclosure for the full severity and response timeline.
After the Test
Once your test window closes:
- Share your final report with us at security@veriproof.app
- We’ll triage any findings and confirm receipt within two business days
- We’ll provide a remediation timeline for any confirmed issues
- Critical or high findings are eligible for coordinated disclosure credit
You’re welcome to reference “VeriProof — penetration testing authorised and conducted” in your own compliance documentation. Contact us if you need a letter confirming the test was conducted with our authorisation.
Next Steps
- Responsible Disclosure — for reporting issues found outside of formal test engagements
- Security FAQ — common questions about VeriProof’s security posture
- Multi-Tenant Isolation — how tenant boundaries are enforced at the data layer