Cloudstaff Bug Bounty fosters collaboration amongst security professionals to help protect our customers’ personal information from malicious activity due to vulnerabilities against our networks, web and mobile applications and set security policies across our organization.
We treat the security and safety of our customers’ personal information with the utmost importance. For the protection of our customers, Cloudstaff does not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.
Please ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty
- Do not intentionally harm the experience or usefulness of the service to others, including the degradation of services & denial of service attacks.
- Do not attempt to view, modify, or damage data belonging to others
- Do not disclose the reported vulnerability to others until we’ve had a reasonable time to address it.
- Do not use automated vulnerability scanners to launch attacks against Cloudstaff’s website.
- Automated testing is not permitted.
- During the investigation into the security vulnerability, we ask that you maintain full confidentiality of the issues and not publicly discuss, imply, or hint at the existence of such vulnerability. Failure to maintain confidentiality will disqualify you from receiving any bounty, disqualify you from future submissions under this program, and Cloudstaff will pursue legal action.
- You must agree and adhere to the Program Rules and Legal terms as stated in this policy.
- You must be the first to report the issue to be eligible for a bounty.
- You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.
- Cloudstaff SQAs and Developers directly involved in the tool/app are not eligible for participation in this program.
- Be at least 18 years of age
Targets eligible for reward
Currently, we offer monetary rewards only for the properties listed below. Subdomains not specifically listed are not included in the Targets Eligible for Reward.
Some unique issue types not related to the domains listed below, such as reports of subdomain takeovers, may also be eligible for a reward. We may modify this list over time, so be sure to visit our policy often to review any updates.
- Denial of Service attacks
- Descriptive error messages or headers (e.g. Stack Traces, application or server errors, banner grabbing)
- Disclosure of known public files or directories
- Outdated software/library versions
- OPTIONS / TRACE HTTP method enabled
- CSRF on logout
- CSRF on forms that are available to anonymous users
- Cookies that lack HTTP Only or Secure settings for non-sensitive data
- Domain spoofing
- Issues found through automated testing
- Self-XSS and issues exploitable only through Self-XSS
- Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
- Attacks requiring physical access to a user’s device
- Attacks dependent upon the social engineering of Cloudstaff employees or vendors.
- Username enumeration based on login or forgot password pages.
- Enforcement policies for brute force or account lockout
- SSL/TLS best practices
- Clickjacking, without additional details demonstrating a specific exploit
- Session fixation
- Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record
- Mail configuration issues including SPF, DKIM, DMARC settings
- Use of a known-vulnerable library without a description of an exploit specific to our implementation
- Password and account recovery policies
- Presence of autocomplete functionality in form fields
- Publicly accessible login panels
- Lack of email address verification during account registration
- Rate-limiting issues
- Content spoofing/text injection
- Missing security headers without additional details or a POC demonstrating a specific exploit
- Mixed content issues
- Attacks requiring physical access to device or MiTM
- Issues related to active sessions after password changes.
- Hyperlink injection in emails using forms available to any user
- Host Header Injection
Cloudstaff reserves the right to add to and subtract from the Exclusions list depending on the evaluated severity of reported vulnerabilities and risk acceptance.
All bounty amounts will be at the discretion of the Cloudstaff Bug Bounty team, which will be evaluated for severity, impact, and quality of the report to determine the bounty level. Bounties will be awarded to the first reporter of a vulnerability only.
What to include in your report
- A well-written report will allow us to more quickly and accurately triage your submission.
- A clear description of the issue, including the impact you believe it has to the user, Cloudstaff, others.
- Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.
- Your recommendations to resolve the issue.
- Submit your well-written report to firstname.lastname@example.org or you can use the form below.
Cloudstaff reserves the right to modify the terms and conditions of this program and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. We reserve the right to cancel this program at any time. Must be 18 or older to be eligible for an award.