These rules help you evaluate the security of your cloud services without affecting other Huawei Cloud customers or the infrastructure of Huawei Cloud.

Any penetration test that does not comply with these rules is considered unauthorized. We reserve the right to pursue legal action for such unauthorized penetration testing.

These rules apply only to customers who have purchased Huawei Cloud services (excluding services and products from the Huawei Cloud Store).

1. Perform any type of DoS or DDoS tests.

2. Perform automatic tests that may generate heavy traffic.

3. Perform ARP spoofing, DNS hijacking, or poisoning attacks.

4. Scan or test the data or other assets of other Huawei Cloud customers.

5. Launch phishing or other social engineering attacks against Huawei employees.

6. Perform any penetration testing on Huawei Cloud infrastructure and public services, including the official website, IAM, NTP, and DNS.

You can perform security evaluation and penetration testing on your service systems deployed on Huawei Cloud and the Huawei Cloud service instances you purchase at any time.

1. Huawei Cloud Managed Detection Response (MDR) is recommended for security evaluation and penetration testing.

2. Security services in Huawei Cloud Store are also recommended for security evaluation and penetration testing.

Product security is very important to Huawei Cloud.

If you suspect that Huawei Cloud resources are being used inappropriately or encounter any security vulnerabilities in the Huawei Cloud website, products, or services, please email hwssecurity@huaweicloud.com. For a more effective response to your report, please provide supporting materials, such as vulnerability reproduction conditions, proof-of-concept code, the IP address of the resource being used inappropriately, and suspicious behavior logs, to help the security response team understand the issue thoroughly. During the vulnerability handling, Huawei Cloud will limit the vulnerability information to be transferred to the minimum scope that is necessary for fixing the vulnerability. We would appreciate it if you keep the vulnerability information confidential before a solution is available. We will reply to all feedback. You will receive a confirmation email within one working day of your initial feedback.