CloudXray Security Bug Bounty Program
Introduction
Software security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards for critical vulnerabilities.
Below you can find information about the rules, scope and reporting requirements.
Happy hacking!
Before You Start
Check the list of domains that are in scope for the Security Bug Bounty Program and the list of targets for useful information for getting started. All CloudXray application testing should be performed on the dedicated application instance https://app.dev1.dev.cloudxray.co/.
Check the list of bugs that have been classified as ineligible. Submissions which are ineligible will likely be closed as Not Applicable.
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
When in doubt, contact us at security@cloudxray.io.
By participating in CloudXray's Security Bug Bounty Program (the "Program"), you acknowledge that you have read and agree to CloudXray's Terms of Service as well as the following:
You're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.
You're not currently a CloudXray employee or contractor, were not a CloudXray employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.
Your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.
CloudXray reserves the right to terminate or discontinue the Program at its discretion.
Only test for vulnerabilities on sites you know to be operated by CloudXray and are in-scope of the Program. Some sites hosted on subdomains of cloudxray.co are operated by third parties and should not be tested.
Legal Safe Harbor
Your research is covered by the CloudXray Security Bug Bounty Program Legal Safe Harbor policy. In summary:
We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this Security Bug Bounty Program's scope.
We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.
Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.
If your security research as part of the Program violates certain restrictions in our service policies, the safe harbor terms permit a limited exemption.
Performing Your Research
Do not impact other users with your testing, this includes testing vulnerabilities in accounts and users you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.
The following are never allowed and are ineligible for reward. We may suspend your CloudXray account and ban your IP address for:
Performing distributed denial of service (DDoS) or other volumetric attacks.
Spamming content.
Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.
Note: We do allow the use of automated tools as long as they do not produce excessive amounts of traffic. For example, running one Nmap scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.
Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:
Research must be performed in CloudXray organization and user accounts you own
Stop immediately if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability - CloudXray's security team will be able to determine the impact.
There are no limits for researching denial of service vulnerabilities against your own private (self-hosted) instance of CloudXray service.
Handling Personally Identifiable Information (PII)
Personally identifying information (PII) includes:
legal and/or full names
names or usernames combined with other identifiers like phone numbers or email addresses
health or financial information (including insurance information, social security numbers, etc.)
information about political or religious affiliations
information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes
Also:
Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.
Report the vulnerability immediately and do not attempt to access any other data. The CloudXray Security team will assess the scope and impact of the PII exposure.
Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned.
You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.
We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability.
Reporting Your Vulnerability
Send your reports to security@cloudxray.io. Please don’t send information to any other channel such as other emails, chat, support, etc - these requests won’t be entertained and might disqualify you from the program.
Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.
For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.
Do not publicly disclose your submission until CloudXray has evaluated the impact.
The Scope Of The Program
CloudXray runs a number of services but only submissions under the following domains are eligible for rewards. Any CloudXray-owned domains not listed below are not in-scope, not eligible for rewards and not covered by our legal safe harbor:
app.dev1.dev.cloudxray.co
api.dev1.dev.cloudxray.co
API documentation: https://api.dev1.dev.cloudxray.co/docs
The accepted categories include injection attacks, authentication or authorization flaws, cross-site scripting, sensitive data exposure, privilege escalation, and other security issues.
The following resources are specifically outside of the scope of the Program:
cloudxray.io
Please do not report about the following issues:
Excel CSV formula injection, scripting within PDF documents
Reports based on product/protocol version without demonstration of real vulnerability presence
Theoretical attacks without proof of exploitability
Missing/incorrect DNSSEC, SPF, DKIM or DMARC records
Reports of missed protection mechanism / best practice (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system
Username/email existence/enumeration vulnerabilities
Missing sensitive security headers
Self-signed SSL certificates on any CloudXray IP addresses
Issues related to deprecated web browsers and/or systems
Vulnerabilities in product versions no longer under active support
Just showing that a page can be iframe’d without providing clickjacking impact.
Insecure cookie settings for non-sensitive cookies
Reports from automated tools or services (without accompanying demonstration of exploitability)
Text-only injection in error pages
Automatic hyperlink construction by 3rd party email providers
Using email mutations to create multiple accounts for a single email
Receiving Your Award
All reward amounts are determined by our severity guidelines:
Critical: Vulnerabilities that we think violate our fundamental security of the CloudXray Service (for example, the escalation of privilege from unauthenticated to administrators, privileged remote code execution, access to customer data) will be considered P1 and typically eligible for a minimum of $300.
Minimum: Any vulnerability that we fix in response to a submission via our program will be eligible for a minimum of $20.
Also:
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Bounty payments, if any, will be determined by CloudXray at CloudXray's sole discretion. In no event shall CloudXray be obligated to pay you a bounty for any Submission. All bounty payments shall be considered gratuitous.
Thank you for helping keep CloudXray and our users safe!