Responsible Disclosure of Vulnerabilities

Learn how to report security flaws ethically and safely to improve overall security
Version
V. 2.0.0
Updated By
23 - January - 2023
Published on
01-December-2020

Overview

At CloudSEK, our utmost priority is the security of our products and services, and the safety of your data, as well as ours. We understand that security is essential in maintaining the trust you place in us to provide products and services to you.

As a team of enthusiastic security researchers, we are working vigilantly every day to keep our customers’ information secure. But we at CloudSEK truly believe nothing is completely secure, no matter how much effort we put. Thus we welcome responsible security researchers from the community to help us improve our products and services and secure users’ data. We are eagerly looking forward to working with skilled security researchers.

If you believe you have found a security vulnerability, irrespective of whether its priority is low or critical, please privately send us your report and allow us 5-7 business days for acknowledgment. If the vulnerability is found to be legitimate, we would love to work with you to address the same as quickly as possible.

Rewards

As of now, we are not offering monetary rewards for any vulnerabilities. However, if your submission is valid, we will send you a token of our appreciation in the form of an “AWESOME SWAG.”
Scope


In-Scope Services

- Any products or services owned by CloudSEK.


Out-of-Scope Services

- Any 3rd party services.
- Staging Domain of CloudSEK

In-Scope Vulnerabilities

We are interested in the following types of vulnerabilities:

- SQL injections
- Privilege Escalations
- Code Executions
- File inclusions (Local & Remote)
- Authentication Bypasses
- Leakage of sensitive data
- Administration portals without an authentication mechanism
- Open redirects that allow stealing tokens/ secrets
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Server-Side Request Forgery (SSRF)
- Protection Mechanism bypasses (CSRF bypass, etc.)
- Directory Traversal


Out-of-Scope Vulnerabilities

The types of vulnerabilities excluded include, but are not limited to:

- Self-XSS
- Tabnabbing
- Email Spoof
- Content Spoofing
- Missing cookie flags
- Best practices/ issues
- Content injection
- Long string validation/ DOS Attacks
- Clickjacking/ UI redressing
- HTTPS/SSL/ TLS Related Issues
- Physical or social engineering attacks
- Login/logout/ unauthenticated/ low-impact CSRF
- Unverified Results of automated tools or scanners
- No SPF/ DMARC in non-email domains/ subdomains
- Attacks requiring MITM or physical access to a user’s device
- Vulnerabilities affecting users of outdated browsers or platforms
- Error information disclosure that cannot be used for direct attack
- Missing security-related HTTP headers that do not lead directly to a vulnerability
- Xmlrpc.php open to the public
- WordPress related user info disclosure
- Insecure CORS at wp-json endpoint and CVE-2018-6389
- User enumeration at different endpoints and Rate limiting absence at different endpoints


Exclusions

While researching, please refrain from:

- Forms are hosted by an external party. All the "Request a Demo" forms are hosted on Hubspot and anyone testing on that will be barred to participate in Vulnerability disclosure program.
- Attempting to gain access to others accounts or data
- Distributed Denial of Service (DDoS)
- Impacting/ Affecting other users
- Spamming
- Social engineering or phishing of CloudSEK employees or contractors
- Any attacks against CloudSEK’s physical property or data centers
- Rules of Engagement
- When submitting potential vulnerabilities, please share the following attributes for it to qualify as a valid submission:
- Description of the vulnerability
- Detailed steps to reproduce the vulnerability.
- Supporting material
- Proof of concept
- Impact of the vulnerability
- Exploit scenarios
- Mitigation/ Patch if available

Report

If you believe you’ve discovered a potential vulnerability, please submit your findings in the correct template to [email protected]. We will acknowledge your email as soon as possible.