Security testing, port scanning, and pen testing
The short answer
Security work on systems you own or are authorized to test is allowed. Security work aimed at third parties who haven't consented, or at us, is not. That single distinction, authorized target versus unauthorized target, is the whole policy, and it lines up with how the law treats the same activity.
There is no blanket ban on security tools. nmap, Nessus, OpenVAS, Metasploit, Burp Suite, sqlmap, hashcat, a full Kali install, they're ordinary software, and running them is a legitimate use of a VPS.
What's allowed
- Scanning and testing your own infrastructure, the VPS itself, your other servers, your own web apps.
- Authorized engagements: penetration testing a client's systems under a signed contract or written scope, bug-bounty testing within a program's stated rules, a red-team exercise you've been hired for.
- Learning and competition: CTF challenges, deliberately vulnerable practice targets (HackTheBox, TryHackMe, DVWA, your own lab), and security research against systems you control.
- Defensive tooling: running scanners against your own services to find your own weaknesses before someone else does.
The common thread is authorization. If you have the right to test the target, whether because you own it or because its owner gave you permission, our policy isn't aimed at you.
What's prohibited
From our Terms of Service and Acceptable Use Policy, the following are not permitted:
- Outbound port scanning, vulnerability scanning, or brute-force activity against third parties who haven't authorized it. The TOS names this directly, and the AUP treats a port scan or other information-gathering against another party's systems as a precursor to attempted intrusion.
- Any attempt to access, compromise, or subvert the security of our own systems or other customers' services. Testing your neighbors on the platform, or us, is never in scope, contact us for coordinated disclosure instead (see below).
- Denial-of-service or amplification traffic, which is a separate prohibition covered under our DDoS policy, a "stress test" against a target you don't own is an attack.
Unauthorized scanning is also how attackers begin, so it draws abuse reports and, in many jurisdictions, it's a crime independent of our terms. Both the report and the law land on you, not us, when the target didn't consent.
Practical notes
- Your testing must not generate abuse reports against our network. A target being scanned doesn't see your authorization letter; it sees probes from our IP and may complain to us. "It was authorized" is your matter with the target's owner, not a shield that makes the complaint our problem. Keep authorized testing tightly scoped and rate-limited so it stays between you and the consenting party, hold your written authorization to answer any dispute directly, and understand that repeated abuse complaints about your traffic can get your service suspended regardless of authorization. If you can't run an engagement without it spilling into abuse reports to us, it doesn't belong on the VPS.
- Incoming scans against your VPS are just the internet. Every public IP is scanned constantly; that's background noise, not an attack you need to report. Our own SSH firewall blunts the most common brute-force class automatically.
- Found a vulnerability in VPSDime itself? We welcome responsible disclosure. Don't test it against production or other customers, open a ticket describing what you found and we'll take it from there.
Still need help?
If you're unsure whether a specific engagement is in bounds, ask us first. A one-line description of the target and your authorization is usually all it takes for a clear yes. So we can answer on the first reply, it's worth mentioning:
- what you'll be running and against what,
- your basis for testing that target (you own it, or a scope/authorization from its owner),
- whether it's a one-off or ongoing.
Related questions
- "Can I run nmap or a port scanner from my VPS?"
- "Is penetration testing allowed on VPSDime?"
- "Can I use my VPS for bug bounty work?"
- "Is it OK to run a vulnerability scanner from my server?"
- "Can I test my own website's security from my VPS?"
- "Am I allowed to scan other servers?"