At Vercel, we’re committed to providing a secure, transparent, and highly available platform for developers and enterprise organizations. As part of that commitment, we conduct penetration testing for our multi-tenant environment to help ensure the safety and stability of the platform for our customers. While penetration testing is a widely-accepted security practice, customer-initiated infrastructure testing can introduce risks that extend beyond a single deployment, impacting shared services, platform stability, and compliance obligations. This guide explains how customers can rely on Vercel's security posture for infrastructure testing assurance.
We believe that security in a cloud environment is a shared responsibility between Vercel and our customers. Customers are responsible for the security of their own applications, code, environment variables, and access controls. Vercel is responsible for securing the infrastructure, platform, and underlying services that power customer deployments.
Our efforts to provide secure infrastructure include penetration testing through certified third-party assessors. The sections below detail the risks of customer-initiated testing and outline the secure, effective alternatives we provide to help customers validate our security posture.
The Vercel platform is built on a multi-tenant architecture where customer environments are logically segregated and fully isolated to prevent any unauthorized access or data leakage. While this architecture provides strong tenant boundaries by design, customer-led infrastructure testing introduces significant risk in a shared environment.
While customer data and environments remain isolated, certain underlying systems are shared across the platform: edge locations, caching layers, serverless compute, rate-limiting, and build orchestration queues. Infrastructure-level testing may unintentionally introduce load or behaviors that:
- Affect the performance or availability of shared services
- Trigger automated rate-limiting or blocking defenses
- Delay builds or deployments
- Interrupt normal workflows, even within the initiating customer’s environment
- Cause performance degradation, trigger false alarms, or affect availability across multiple customer environments
Vercel relies on major cloud providers for hosting and infrastructure services. These providers often prohibit unauthorized security testing of shared infrastructure in their terms of service to preserve service availability, enforce tenant isolation, and ensure consistent performance across the platform.
While customers are encouraged to assess and test the security of their own applications and configurations, infrastructure-level testing is coordinated directly through Vercel. This approach ensures both platform integrity and compliance with external obligations, while empowering customers to manage their part of the shared responsibility model effectively.
Our internal system of controls is designed to give customers the confidence that the infrastructure they build on is resilient, secure, and available. By handling infrastructure-level testing centrally, we ensure a consistent, high standard of security across the platform while enabling customers to focus on safeguarding their own applications and data.
We align with industry standards (i.e., NIST 800-53) and maintain multiple compliance framework certifications that require authorized, controlled testing executed by qualified, independent third parties. Customers can access the following security documentation through Vercel's Trust Center:
- Compliance reports and certifications (SOC 2 Type 2, ISO 27001, HIPAA, PCI)
- Internal security policies
- Penetration testing summaries and third-party audit results
- Supplemental security and compliance artifacts
Vercel engages certified, independent third parties to perform regular penetration tests throughout the year. These tests include both infrastructure and application-layer testing and follow industry standard methodologies, including OWASP and NIST. These assessments:
- Test in controlled environments designed to avoid disruption to customer workloads
- Ensure continuity of service by coordinating tests so they do not degrade performance or availability
- Include shared platform systems (edge infrastructure, build services, serverless runtimes)
- Deliver results following recognized industry frameworks
We partner with vetted ethical hacking platforms to operate our bug bounty program, enabling a community of trusted security researchers to help identify potential vulnerabilities as an extension of our internal security team.
Testing is conducted in a structured manner that enhances platform security while preserving the stability of production systems and customer workloads. The program enables Vercel and our customers to benefit from the scale and expertise of the global security community within a safe and managed process for testing and disclosure. Verified reports are triaged, prioritized, and remediated by our security team to support ongoing security assurance across the platform and infrastructure.
This model strengthens our defense-in-depth approach, combining third-party penetration testing, internal security controls, and continuous external research into a comprehensive strategy for securing the platform.
While infrastructure-level penetration testing is coordinated through Vercel, customers may perform application-level testing within their own projects. We support controlled load testing of deployments and provide guidance for application level penetration testing for Pro and Enterprise customers.
Additionally, Vercel provides infrastructure-focused tools and features that help customers strengthen the security of their own applications:
- Vercel Firewall
- Environment variable encryption
- Routing Middleware for custom security logic
- Secure Compute for sensitive workloads
Security is embedded throughout the Vercel platform. Our infrastructure and product features are designed to help you meet your security and compliance goals from day one.
Explore the Trust Center to access our security testing documentation, compliance reports, and certifications that support your internal assurance and audit programs.