Upon signing up for and/or using services from Penguin Enterprises Corp. dba on this website as PenTesting.cloud (PenTesting.Cloud/We/Us/Our), you (You/Your) agree to comply with PenTesting.Cloud’s Terms of Use (Terms). The spirit of this policy is to ensure You are using PenTesting.Cloud’s services with due regard to the rights of other Internet users and in conformity with the requirements of AWS, Azure and GCP (Cloud Provider/Cloud Providers).
Terms
- We reserve the right to update and change these Terms at any time without notice or acceptance by You. You agree to check these Terms at least once a month and close your account, or contact Us to close it, should You no longer agree to them.
- You confirm You are thirteen (13) years of age or older.
- Use of this site not allowed where prohibited by law.
- PenTesting.Cloud is located in the United States. If You use PenTesting.Cloud from outside of the United States You acknowledge that You are voluntarily transferring information including personally identifiable information to the United States and that You agree that Our collection, use, storage and sharing of Your information is exclusively subject to the laws of the United States and not the jurisdiction where You are located.
- If you register using SSO your handle will be your first and last name, this can be changed at any time by clicking on your avatar. You may change your handle at any time.
- Your handle, profile picture, country, score and other statistical information may be publicly displayed in various places on the website or in advertising/marketing material, including on social media.
- See our Privacy Policy for additional information on how your information is stored and used.
- You WILL incur fees from your Cloud Providers by attempting challenges. You are solely responsible for these charges. PenTesting.Cloud is NOT responsible for any charges you incur from Cloud Providers when completing a challenge. You are responsible for researching any charges before starting a challenge, promptly terminating challenge resources, manually deleting any resources not terminated when deleting a stack and monitoring Your usage daily. Charges from Your Cloud Provider may not appear until the end of the month or the beginning of the following month.
- Challenges are insecure by design and may contain vulnerabilities and/or misconfigurations, including possible remote vulnerabilities, You are responsible for assessing the risk before starting any challenge. It may be a possible for an adversary to compromise Your Cloud Providers account, including but not limited to obtaining full Administrator Access, while attempting a challenge. PenTesting.Cloud is NOT responsible for any compromise or adverse actions on Your account with Cloud Providers or actions taking against You by Cloud Providers. Compromise of Your Cloud Provider account will likely result in a large amount of unwanted charges.
- Challenges may include content submitted by 3rd parties. This content may contain vulnerabilities, bugs, and misconfigurations. You accept this risk before starting any challenge.
- Resources within the challenges are NOT created in an isolated environment and may be publicly accessible. You are responsible for ensuring any resources launched will be sufficiently protected before starting a challenge.
- You have full source code to most if not all content. You agree to add additional security protections to the content, including but not limited to any templates, scripts, or other files before running, launching, or executing them, in order to meet Your acceptable risk preference. You also agree to have a competent 3rd party review any content to help ensure its security before using it.
- You agree to promptly report any security issues to Us via Our contact form.
- You agree to use a separate sandbox account from the Cloud Provider for any challenges, one used only for the purpose of completing challenges. DO NOT USE A BUSINESS OR PRODUCTION ACCOUNT. You also agree to close the separate sandbox account when you are done with, or taking an extended break from Our challenges.
- You agree to immediately report any vulnerabilities to Us and allow ample time to respond and remediate them.
- Should You interact with other users from this site or outside of this site you do so at Your own risk.
- We reserve the right to close your account and/or block You for any reason.
- We reserve the right to remove any ratings or comments We deem inappropriate.
- Content and services are provided AS-IS without any warranties or guarantees of any kind, neither expressed nor implied. We reserve the right to discontinue, restrict, or charge for any or all services at any time.
- We are not responsible for any loss of data, loss of resources, loss of information, loss of income, or loss of business as a direct or indirect results of using our service.
- Closing Your account may result in all of Your statistics, including scores, rankings and badges, being lost.
- This is an educational site for teaching ethical penetration testing techniques and cloud knowledge.
- Any type of malicious, illegal, or unethical use is strictly prohibited.
- Any unbecoming conduct, including hate speech, vulgar or abusive language, or personal attacks towards any other users, staff, partners or suppliers, is strictly prohibited and may result in deletion of your account as well a permanent ban.
- Any content You download from Us may solely be used for the purpose of completing a challenge and deleted when you are finished. None of Our content, neither in part nor in whole, may be reused for any other purpose.
- This site is currently free for individual, non-commercial, non-business use only. Commercial, educational, governmental, and non-for profit organization use is strictly prohibited.
- Scoring, points per challenge, and criteria to earn badges may change overtime, which may result in a lower score and/or removed badge. Additionally, challenges, and ergo all associated points and badges, may be removed from time to time.
- Any feedback, comments, bug reports, vulnerabilities or suggestions made by You may be used by PenTesting.Cloud at any time and in any capacity without any compensation to You.
- PenTesting.Cloud will be the sole arbiter to determine if a violation of Terms has occurred.
- You are responsible for any damage to Cloud Providers, customers of Cloud Providers, and users of Pentesting.Cloud caused by You attempting a challenge.
- PenTesting.Cloud is not responsible for a breach of Our systems, including our database containing Your information.
- PenTesting.Cloud is NOT responsible for any damages, either directly or indirectly as a result of using our services. Including but not limited to compromised Cloud Provider accounts, ToS violations from your Cloud Provider, throttling, account suspension or termination from your Cloud Provider, loss of business, loss of data, and business interruption. You agree to waive all claims against PenTesting.Cloud. Under no circumstances shall PenTesting.Cloud be liable for damages greater than $1 USD (one United States Dollar), which You agree is a fair amount since You have not paid anything to PenTesting.Cloud.
- You agree to indemnify and hold PenTesting.Cloud, its affiliated companies, suppliers, partners, owners, employees and contractors harmless from any claim or demand made by any 3rd party due to, or arising out of, Your actions using Our services, You attempting a challenge, violation of Terms.
- You agree not to disparage PenTesting.Cloud, and the PenTesting.Cloud’s officers, directors, employees, shareholders, contractors and agents, in any manner likely to be harmful to them or their business, business reputations or personal reputations.
- Should any part of Terms be deemed unenforceable or invalid, the remainder of the Terms will remain in effect.
- Any dispute arising from Terms will be governed by the laws of the State of Illinois without regard to conflict of law principles. You agree to submit to the personal and exclusive jurisdiction of the courts located within the county of DuPage, Illinois.
Challenge Rules
- You must abide by the CloudProvider’s ToS and Rules regarding penetration testing at all times, even if it means a challenge cannot be solved. Including but not limited to the rules on this URL https://aws.amazon.com/security/penetration-testing/
- The scope of resources You can pentest are resources launched within Your own Cloud Providers account, unless otherwise stated in the challenge.
- Do NOT try to pentest, hack, enumerate, fuzz, etc Our website or any of Our resources. Your interaction with Our cloud resources is limited to downloading files from our S3 bucket, unless otherwise stated in the challenge.
- Challenges are designed to be solved mainly with regular API calls.
- Most AWS challenges are tested in and designed to be run in the us-west-2 region.
- Brute forcing, password cracking, fuzzing, port scanning, and other repetitive penetration testing methods are strictly prohibited and not required for any challenges.
- DNS Zone walking, any type of Denial of Service (DoS) attack or simulation, port flooding, protocol flooding, request flooding (both login and API), and network stress testing are strictly prohibited.
- A web scanner IS allowed for challenges which include an EC2, or similar, instance hosted within Your Cloud Provider account.
- If You are not sure if a certain technique is allowed contact us prior to trying it.
- Cheating is not allowed, We reserve the right to remove points and/or badges if We suspect You of cheating.
- Credentials cannot be shared.
- There is a strict limit of 1 account per person. If we suspect You have created 1 or more additional accounts We will suspend or terminate all accounts associated with You including the original one. If You need assistance logging in, You agree to contact Us and not create another account.
- Challenge template files, scripts, etc may not be modified (expect to improve security as you see fit).
- After creating resources as pentesting-admin switch to pentesting-user to complete the challenge, without modifying any resources (expect to improve security as you see fit) or adding any additional permissions to pentesting-user.
- pentesting-user should be deleted after each challenge and before starting another challenge.
- Flags may not be shared or posted publicly.
- Walk-throughs, hints, spoilers may be given privately or posted publicly 1 month after a challenge has gone live. Sharing of hints, etc before this is strictly prohibited.