Bug Bounty & Vulnerability Research Program
We encourage responsible disclosure of security vulnerabilities through this bug bounty program. This document attempts to cover the most anticipated basic features of our policy; however the devil is always in the details, and it is not practical to cover every conceivable detail in advance. Whenever there is any room for interpretation or judgment, we will rely on our own discretion, informed by the circumstances and your actions.
Bug Bounty Program Scope
This program covers security issues pertaining to services provided by us at getcloudapp.com and share.getcloudapp.com, including:
- web application vulnerabilities such as XSS, CSRF, SQLi,
- authentication issues
- authorization issues
- remote code execution
This program excludes (regardless of coverage indicated above):
- social engineering
- WordPress “issues” such as xmlrpc that are mitigated by our hosting provider
- out-of-date browsers and plugins
- vulnerabilities in 3rd party applications that do not directly affect our data or service
- spam of any kind
- denial of service attacks
- issues already known by us or previously reported to us by others
- issues that we have determined to be of acceptable risk
There are no rewards for security issues that are trivial or broadly applicable to every service, such as:
- Lack of password length restrictions
- Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.
- Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim’s device(s)
- User existence/enumeration vulnerabilities
- Password complexity requirements
- Insecure cookie settings for non-sensitive cookies
- Bugs requiring exceedingly unlikely user interaction
- Reports from automated tools or scans (without accompanying demonstration of exploitability)
- Text-only injection in error pages
- Automatic hyperlink construction by 3rd party email providers
- Using email mutations (+, ., etc) to create multiple accounts for a single email
We only work with responsible disclosure and responsible parties. Your responsible behavior includes:
- Giving us reasonable time to investigate and mitigate your issue before using or sharing the information with others.
- Not interacting with our other users or accounts without their explicit consent, provided with full knowledge of your objectives.
- Avoiding all privacy violations and any disruption of service to other users and accounts.
- No exploitation of any security risk you discover, including additional demonstrations of the same risk.
- Providing your real name, proof of identity if requested, and non-cash payment method to you.
- Compliance with all applicable laws and regulations.
Reporting an issue
We appreciate how much work and effort goes in to penetration testing. To avoid frustration, you can find out these common non-vulnerabilities that do not quality for a reward.
If you have a valid issue, please include the following:
- The summary of the problem.
- A severity rating on the scale of 1 - 5 (1 being least severe and 5 being most severe, i.e, you can easily access, hijack or impersonate any account or data)
- A step by step breakdown of how to replicate the issue.
- The operating system and web browser name and version that you used to replicate the issue.
Note: If you plan to provide sensitive data/logs, secure cookies, or access tokens as an example, please mention it in the email subject.
We are extremely grateful for all those who put in their hard work to identify weaknesses within CloudApp. For reports that are not common non-vulnerabilities, we like to reward those who responsibly disclose vulnerabilities with an acknowledgement, swag or bounty money.
Vulnerability Research Submissions
Submit your report to firstname.lastname@example.org
All rewards are at our discretion. We attempt to align any award appropriately with the severity of the security risk.