CloudKeeper is a Premier Partner and Member of the Governing Board at the FinOps Foundation
Overview

CloudKeeper has been working with 300+ businesses around the world managing $100 Mn+ in cloud billing annually. As a part of our continued efforts in ensuring safe and seamless use of our products and platforms with no exposure to threats, we are inviting security professionals from around the world to test and report any vulnerabilities on our website or products (in scope) and to be a part of our exclusive White-Hat Hall Of Fame.

Terms of Engagement

CloudKeeper is committed to working with security researchers to verify and address potential vulnerabilities that are reported to us. Irrespective of the severity of the vulnerability, we would be happy to put your name in our Hall Of Fame. We thank all security researchers who are helping us to improve our overall security.

A submission will qualify for the Hall Of Fame if it includes

  • Description of the vulnerability
  • Steps for reproducing the vulnerability. If we cannot reliably reproduce the issue, we cannot fix it
  • Impact of the vulnerability with an exploit scenario
  • Proof of concept (Explain what you have achieved to do. No Attachment needed)

Please forward your findings to

breach@tothenew.com

In Scope & Out of Scope Targets

All parts of our website (https://www.cloudkeeper.com/) available to customers/guests are in scope and are our primary interest.

CloudKeeper uses a number of third-party providers and services. Our disclosure program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed on a case-by-case basis.

Not Applicable Vulnerabilities

Please refrain from sending us a report on the below issues. Even if they are reproducible, we consider them as Informational and not a security vulnerability.

  • Presence of banner or version information
  • OPTIONS / TRACE HTTP method enabled
  • “Advisory” or “Informational” reports such as user enumeration
  • Vulnerabilities requiring physical access to a system
  • Missing CAPTCHAs
  • Default web server pages
  • Brute-force attacks
  • Content injection
  • Hyperlink injection in emails
  • Missing SPF/DMARC records Content Spoofing
  • Issues relating to password policy Full-path disclosure
  • Version number information disclosure
  • XML.RPC being accessible publicly (Or enumeration using XML.RPC)
  • CSRF-able actions that do not require authentication (or a session) to exploit
  • Issues on 3rd-party subdomains/domains of services we use. Please report those issues to the appropriate service.
  • Reports related to the security-related headers: Strict Transport Security (HSTS) – XSS mitigation headers (X-Content-Type and X-XSS-Protection) – X-Content- Type-Options – Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  • Click-jacking (without a valid exploit)
  • DOS vulnerabilities
  • Any theoretical issue, which does not seem to be exploitable
Let’s work towards a safer internet, one page at a time!