From 9ea90a4e7c7f0730fda6defdce13fbe83dc1b256 Mon Sep 17 00:00:00 2001
From: Cipriano Groenendal <cipriano.groenendal@hypernode.com>
Date: Wed, 31 Dec 2025 13:32:18 +0100
Subject: [PATCH 1/3] Add penetration testing policy

---
 .../penetration-testing-policy                | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 docs/about-hypernode/security-policies/penetration-testing-policy

diff --git a/docs/about-hypernode/security-policies/penetration-testing-policy b/docs/about-hypernode/security-policies/penetration-testing-policy
new file mode 100644
index 00000000..68570397
--- /dev/null
+++ b/docs/about-hypernode/security-policies/penetration-testing-policy
@@ -0,0 +1,40 @@
+---
+myst:
+  html_meta:
+    description: Hypernode's policy for customers that wish to run a pentest on their website
+    title: Penetration Testing Policy | Security | Hypernode
+---
+
+# Customer Pentest Policy
+
+```{important}
+This policy is for customers that wish to perform an external penetration test on their own hosting environment. For Unaffiliated third-parties that wish to test the Hypernode platform itself, we have a separate [Responsible Disclosure Policy](responsible-disclosure-policy.md).
+```
+
+At Hypernode, we support responsible security testing practices that help customers improve the safety and resilience of their hosted application, and our platform. Customers may conduct penetration tests on their own hosting environments under the following conditions and guidelines.
+
+## Scope of Testing
+Penetration testing is only permitted on the customer's *own* hosting space. Testing must not extend to, or affect, any other part of the platform or infrastructure managed by either Hypernode, or other Hypernode customers..
+
+## Requirements
+Penetration testing is allowed under the following conditions:
+
+* All pentests must be performed by a reputable, experienced, party.
+* You will [inform us](https://www.hypernode.com/en/support/) at least 72 hours ahead of time, and let us know the time, source IP(s) and target of the pentest.
+* If the pentest causes, or discovers, any server side issues, you will share the full report of the pentest with us afterwards. You will keep these findings confidential, untill we've had the opportunity to assess and address the issue.
+
+We do not allow pentests that:
+* Rely on Social Engineering.
+* Perform Brute Force testing.
+* Test (D)DoS protection or -resilience.
+* Test Physical Security of Datacenters, Offices, etc.
+* May cause permanent damage to hardware or equipment.
+
+You may wish to add the source IP's of the pentest to the [Hypernode WAF allowlist](./../../best-practices/firewall/ftp-waf-database-allowlist.md), to prevent our automated systems from affecting the test.
+
+## Security Waivers
+Hypernode explicitly gives its customers permission to test their own Hypernode hosting environment. If your penetration testing partner still requires a signed waiver, please [contact us](https://www.hypernode.com/en/support/).
+
+# Hypernode's Own Pentest Policy
+
+Hypernode performs regular penetration tests of both the Hypernode hosting platform, and its internal applications like the Hypernode Control Panel. Details about these penetration tests are available for customers [upon request](https://www.hypernode.com/en/support/).

From 80ccf9d147b7ba2daaed2b91c140914375538726 Mon Sep 17 00:00:00 2001
From: Cipriano Groenendal <cipriano.groenendal@hypernode.com>
Date: Wed, 31 Dec 2025 13:53:10 +0100
Subject: [PATCH 2/3] Fix filename

---
 .../{penetration-testing-policy => penetration-testing-policy.md} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename docs/about-hypernode/security-policies/{penetration-testing-policy => penetration-testing-policy.md} (100%)

diff --git a/docs/about-hypernode/security-policies/penetration-testing-policy b/docs/about-hypernode/security-policies/penetration-testing-policy.md
similarity index 100%
rename from docs/about-hypernode/security-policies/penetration-testing-policy
rename to docs/about-hypernode/security-policies/penetration-testing-policy.md

From 055355ae59fd836d9240494a99e84a03bb257e7b Mon Sep 17 00:00:00 2001
From: Cipriano Groenendal <cipriano.groenendal@hypernode.com>
Date: Wed, 31 Dec 2025 16:15:31 +0100
Subject: [PATCH 3/3] Fix formatting

---
 .../penetration-testing-policy.md             | 22 +++++++++++--------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/docs/about-hypernode/security-policies/penetration-testing-policy.md b/docs/about-hypernode/security-policies/penetration-testing-policy.md
index 68570397..d21815c5 100644
--- a/docs/about-hypernode/security-policies/penetration-testing-policy.md
+++ b/docs/about-hypernode/security-policies/penetration-testing-policy.md
@@ -1,7 +1,8 @@
 ---
 myst:
   html_meta:
-    description: Hypernode's policy for customers that wish to run a pentest on their website
+    description: Hypernode's policy for customers that wish to run a pentest on their
+      website
     title: Penetration Testing Policy | Security | Hypernode
 ---
 
@@ -14,25 +15,28 @@ This policy is for customers that wish to perform an external penetration test o
 At Hypernode, we support responsible security testing practices that help customers improve the safety and resilience of their hosted application, and our platform. Customers may conduct penetration tests on their own hosting environments under the following conditions and guidelines.
 
 ## Scope of Testing
+
 Penetration testing is only permitted on the customer's *own* hosting space. Testing must not extend to, or affect, any other part of the platform or infrastructure managed by either Hypernode, or other Hypernode customers..
 
 ## Requirements
+
 Penetration testing is allowed under the following conditions:
 
-* All pentests must be performed by a reputable, experienced, party.
-* You will [inform us](https://www.hypernode.com/en/support/) at least 72 hours ahead of time, and let us know the time, source IP(s) and target of the pentest.
-* If the pentest causes, or discovers, any server side issues, you will share the full report of the pentest with us afterwards. You will keep these findings confidential, untill we've had the opportunity to assess and address the issue.
+- All pentests must be performed by a reputable, experienced, party.
+- You will [inform us](https://www.hypernode.com/en/support/) at least 72 hours ahead of time, and let us know the time, source IP(s) and target of the pentest.
+- If the pentest causes, or discovers, any server side issues, you will share the full report of the pentest with us afterwards. You will keep these findings confidential, untill we've had the opportunity to assess and address the issue.
 
 We do not allow pentests that:
-* Rely on Social Engineering.
-* Perform Brute Force testing.
-* Test (D)DoS protection or -resilience.
-* Test Physical Security of Datacenters, Offices, etc.
-* May cause permanent damage to hardware or equipment.
+- Rely on Social Engineering.
+- Perform Brute Force testing.
+- Test (D)DoS protection or -resilience.
+- Test Physical Security of Datacenters, Offices, etc.
+- May cause permanent damage to hardware or equipment.
 
 You may wish to add the source IP's of the pentest to the [Hypernode WAF allowlist](./../../best-practices/firewall/ftp-waf-database-allowlist.md), to prevent our automated systems from affecting the test.
 
 ## Security Waivers
+
 Hypernode explicitly gives its customers permission to test their own Hypernode hosting environment. If your penetration testing partner still requires a signed waiver, please [contact us](https://www.hypernode.com/en/support/).
 
 # Hypernode's Own Pentest Policy