Responsible Disclosure of Vulnerabilities
affecting CloudSEK and XVigil

Published on 01-December-2020
Updated on 01-March-2021 – V1.0

At CloudSEK, our utmost priority is the security of our products and services, and the safety of your data, as well as ours. We understand that security is essential in maintaining the trust you place in us to provide products and services to you.

As a team of enthusiastic security researchers, we are working vigilantly every day to keep our customers’ information secure. But we at CloudSEK truly believe nothing is completely secure, no matter how much effort we put. Thus we welcome responsible security researchers from the community to help us improve our products and services and secure users’ data. We are eagerly looking forward to working with skilled security researchers.

If you believe you have found a security vulnerability, irrespective of whether its priority is low or critical, please privately send us your report and allow us 5-7 business days for acknowledgment. If the vulnerability is found to be legitimate, we would love to work with you to address the same as quickly as possible.

As of now, we are not offering monetary rewards for any vulnerabilities. However, if your submission is valid, we will send you a token of our appreciation in the form of an “AWESOME SWAG.”

In-Scope Services
  • Any products or services owned by CloudSEK.
Out-of-Scope Services
  • Any 3rd party services.
In-Scope Vulnerabilities

We are interested in the following types of vulnerabilities:

  • SQL injections
  • Privilege Escalations
  • Code Executions
  • File inclusions (Local & Remote)
  • Authentication Bypasses
  • Leakage of sensitive data
  • Administration portals without an authentication mechanism
  • Open redirects that allow stealing tokens/ secrets
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Server-Side Request Forgery (SSRF)
  • Protection Mechanism bypasses (CSRF bypass, etc.)
  • Directory Traversal
Out-of-Scope Vulnerabilities

The types of vulnerabilities excluded include, but are not limited to:

  • Self-XSS
  • Tabnabbing
  • Email Spoof
  • Content Spoofing
  • Missing cookie flags
  • Best practices/ issues
  • Content injection
  • Long string validation/ DOS Attacks
  • Clickjacking/ UI redressing
  • HTTPS/SSL/ TLS Related Issues
  • Physical or social engineering attacks
  • Login/logout/ unauthenticated/ low-impact CSRF
  • Unverified Results of automated tools or scanners
  • No SPF/ DMARC in non-email domains/ subdomains
  • Attacks requiring MITM or physical access to a user’s device
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Error information disclosure that cannot be used for direct attack
  • Missing security-related HTTP headers that do not lead directly to a vulnerability
Exclusions

While researching, please refrain from:

  • Attempting to gain access to others accounts or data
  • Distributed Denial of Service (DDoS)
  • Impacting/ Affecting other users 
  • Spamming
  • Social engineering or phishing of CloudSEK employees or contractors
  • Any attacks against CloudSEK’s physical property or data centers
Rules of Engagement

When submitting potential vulnerabilities, please share the following attributes for it to qualify as a valid submission:

  • Description of the vulnerability
  • Detailed steps to reproduce the vulnerability. 
  • Supporting material
  • Proof of concept
  • Impact of the vulnerability 
  • Exploit scenarios
  • Mitigation/ Patch if available

If you believe you’ve discovered a potential vulnerability, please submit your findings in the correct template to [email protected] / [email protected]. We will acknowledge your email as soon as possible.