Vulnerability Disclosure Policy
Vulnerability Disclosure Policy
The safety and security of our customers’ data, and the reliability of our products and services, are of utmost importance. Therefore, we aim to design and make products and services with the highest levels of security and reliability. Despite our best efforts, due to the highly complex and sophisticated nature of our products and services, vulnerabilities and errors may still be present in our infrastructure (sites and servers) used to provide the products and services.
This policy describes SimplerCloud’s approach to requesting and receiving reports related to potential vulnerabilities and errors in its sites and servers used to provide the products and services.
Customers, users, researchers, partners and any other person that interacts with SimplerCloud’s products and services are encouraged to report identified vulnerabilities and errors by using the Vulnerability Disclosure Policy form available.
SimplerCloud highly appreciates the efforts made by the reporting party in identifying the vulnerability or error. This will contribute to improving the security and reliability of our products and services.
Please note that supplying your contact information with your report is entirely voluntary and at your discretion. You can be assured that SimplerCloud will only use such information to clarify the details of your report with you, if necessary. To learn more about our general privacy policy, please visit: https://www.simplercloud.com/privacy/ .
By making a report to SimplerCloud using the form on the Vulnerability Disclosure Policy platform, or otherwise communicating a report to SimplerCloud regarding vulnerabilities and errors, you agree to the following terms:
SimplerCloud may use your report for any purpose deemed relevant by SimplerCloud, including without limitation, for the purpose of correcting any vulnerabilities and errors that are reported and that SimplerCloud deems to exist and to require correction. To the extent that you propose any changes and/or improvements to a SimplerCloud product or service in your report, you assign to SimplerCloud all use and ownership rights to such proposals.
You further confirm to SimplerCloud that:
- You have not exploited or used in any manner, and will not exploit or use in any manner (other than for the purposes of reporting to SimplerCloud), the discovered vulnerabilities and/or errors
- You have not engaged, and will not engage, in testing/research of systems with the intention of harming SimplerCloud, its customers, employees, partners or suppliers;
- You have not used, misused, deleted, altered or destroyed, and will not use, misuse, delete, alter or destroy, any data that you have accessed or may be able to access in relation to the vulnerability and/or error discovered;
- You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks;
- You have not tested, and will not test, the physical security of any property or building of SimplerCloud;
- You have not breached, and will not breach, any applicable laws in connection with your report and your interaction with SimplerCloud product or service that lead to your report.
- You agree not to disclose to any third party any information related to your report, the vulnerabilities and/or errors reported, nor the fact that vulnerabilities and/or errors have been reported to SimplerCloud.
SimplerCloud does not guarantee that you will receive any response from SimplerCloud related to your report. SimplerCloud will only contact you regarding your report if SimplerCloud deems it necessary. - You agree that you are making your report without any expectation or requirement of reward or other benefit, financial or otherwise, for making such report, and without any expectation or requirement that the vulnerabilities and/or errors reported are corrected by SimplerCloud.
- The classification of the severity of the vulnerabilities reported is at the discretion of SimplerCloud. We reserve the rights to reject or not respond to any report of issues or vulnerabilities received.
- Any financial or monetary award issued as a result of this disclosure exchange is entirely at the discretion of SimplerCloud.
Furthermore, you agree to the following:
Eligibility and Responsible Disclosure
If a monetary reward or any response that may be considered a reward is issued by SimplerCloud, it will be only to those that meet the following eligibility requirements
– You need to be the first person to report an unknown issue.
– Any vulnerability found must be reported no later than 24 hours after discovery.
– You are not allowed to disclose details about the vulnerability anywhere else.
– You must avoid using tests or applications that could cause degradation or interruption of our service.
– You must not exploit the vulnerability beyond PoC (proof of concept) purposes.
– You must not leak, manipulate, or destroy any data.
– You are only allowed to test against accounts you own yourself.
– The use of automated tools or scripted testing is not allowed.
– You must not be a former or current SimplerCloud employee.
In-Scope Sites and Servers
1. Our main website – https://www.simplercloud.com/
2. Our client area portal – https://my.simplercloud.com/
All other sites, servers, services, applications, networks or products are out of scope. Third-party software, applications, sites, and servers are also out of scope.
In-Scope and Out of Scope Vulnerabilities
SimplerCloud expects that the vulnerabilities being reported are those with real security impacts on our sites and servers.
Activities such as, but not limited to the following, are out of scope.
– SSL/TLS Best Practices
– DNS configuration issues (e.g. misconfiguration or non-existence of SPF/DKIM/DMARC/CAA records, among others)
– Click-jacking risks
– Session timeout risks
– DOS/DDOS and brute forcing attacks (password guessing)
– Missing HTTP/HTTPS headers
– Any vulnerabilities that involves social engineering (such as sending a link via email or chat or an external phishing website to trick a victim into performing the attack)
– Information disclosure
– Any best practices without exploitable proof of concepts
– Vulnerabilities on SimplerCloud customer’s servers and applications
While we intend to respond and resolve reported issues as quickly as possible, we cannot guarantee a minimum response time. We will, however, endeavour to respond to you within five to fifteen working days.
Note that posting details or conversations about the report or posting details that reflect negatively on the program and the SimplerCloud brand, will result in immediate disqualification from any vulnerability disclosure activity. Any violation of all terms and conditions stated above will also immediate disqualify any vulnerability disclosure activity from qualifying for financial renumeration or renumeration of any kind.