CloudKeeper has been working with 300+ businesses around the world managing $100 Mn+ in cloud billing annually. As a part of our continued efforts in ensuring safe and seamless use of our products and platforms with no exposure to threats, we are inviting security professionals from around the world to test and report any vulnerabilities on our website or products (in scope) and to be a part of our exclusive White-Hat Hall Of Fame.
All parts of our website (https://www.cloudkeeper.com/) available to customers/guests are in scope and are our primary interest.
CloudKeeper uses a number of third-party providers and services. Our disclosure program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed on a case-by-case basis.
Please refrain from sending us a report on the below issues. Even if they are reproducible, we consider them as Informational and not a security vulnerability.
- Presence of banner or version information
- OPTIONS / TRACE HTTP method enabled
- “Advisory” or “Informational” reports such as user enumeration
- Vulnerabilities requiring physical access to a system
- Missing CAPTCHAs
- Default web server pages
- Brute-force attacks
- Content injection
- Hyperlink injection in emails
- Missing SPF/DMARC records Content Spoofing
- Issues relating to password policy Full-path disclosure
- Version number information disclosure
- XML.RPC being accessible publicly (Or enumeration using XML.RPC)
- CSRF-able actions that do not require authentication (or a session) to exploit
- Issues on 3rd-party subdomains/domains of services we use. Please report those issues to the appropriate service.
- Reports related to the security-related headers: Strict Transport Security (HSTS) – XSS mitigation headers (X-Content-Type and X-XSS-Protection) – X-Content- Type-Options – Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
- Click-jacking (without a valid exploit)
- DOS vulnerabilities
- Any theoretical issue, which does not seem to be exploitable