This document describes the unified rules (“Rules of Engagement”) for customers wishing to perform penetration tests against OnePlan. In many cases, OnePlan uses shared infrastructure to host your assets and assets belonging to other customers. Care must be taken to limit all penetration tests to your assets and avoid unintended consequences to other customers around you. These Rules of Engagement are designed to allow you to effectively evaluate the security of your assets while preventing harm to other customers or the infrastructure itself.
All penetration tests must follow the Rules of Engagement as detailed on this page. Your use of OnePlan will continue to be subject to the terms and conditions of the agreement(s) under which you purchased the relevant service. Any violation of these Rules of Engagement or the relevant service terms may result in suspension or termination of your account and legal action. You are responsible for any damage to OnePlan and other customers data or use of OnePlan that is caused by any failure to abide by these Rules of Engagement.
If during your penetration testing you believe you discovered a potential security flaw related to the OnePlan, please report it to OnePlan via the feedback link in OnePlan or the OnePlan employee you are working with. If any valid vulnerabilities were reported to OnePlan, you agree that you will not disclose this vulnerability information publicly or to any third party until you hear back from OnePlan that the vulnerability has been fixed. All vulnerabilities reported must follow Coordinated Vulnerability Disclosure.
The goal of this program is to enable customers to test OnePlan without causing harm to any other OnePlan customers.
The following activities are prohibited:
-
Scanning or testing assets belonging to any other OnePlan customers.
-
Gaining access to any data that is not wholly your own.
-
Performing any kind of denial of service testing.
-
Performing network intensive fuzzing against any asset except your OnePlan group.
-
Performing automated testing of services that generates significant amounts of traffic.
-
Deliberately accessing any other customer’s data.
-
Using our services in a way that violates the Acceptable Use Policy.
-
Attempting phishing or other social engineering attacks against our employees.
The following activities are permitted:
-
Create a small number of test accounts and/or trial tenants for demonstrating and proving cross-account or cross tenant data access. However, it is prohibited to use one of these accounts to access the data of another customer or account.
-
Fuzz, port scan, or run vulnerability assessment tools against your own OnePlan group.
-
Load testing your application by generating traffic which is expected to be seen during the normal course of business.
Applying conditional access or mobile application management (MAM) policies within Microsoft Intune to test the enforcement of the restriction enforced by those policies.
Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious. Many automated mitigation mechanisms are employed across the OnePlan. These will not be disabled to facilitate a penetration test.