I'd never considered that someone might make their staging environment publicly accessible. At the various places I've worked, we've always accomplished that using internal DNS and firewalls. From the inside it looks like a real site.<p>I guess if you're gonna do some freaky A/B testing this might be a good idea. I dunno, though... it really depends where vulnerability testing occurs in your lifecycle (before, during or after staging).<p>EDIT: Right, you might make it accessible to the outside world to leverage cloud-based vulnerability-assessment or load-testing tools. All good then.