Cloudways is a managed web hosting platform that specializes in providing an easy-to-manage environment for web applications.
The idea behind offering bounty for bugs is to tap into the expertise of the InfoSec community and discover the gaps in the Cloudways Platform’s security. The emphasis is on offering a secure user experience to our customers and to ensure that the Cloudways Platform remains the most secure managed hosting option for our users.
Ratings & Rewards:
At its core, this program adheres to the standard BugCrowd Vulnerability Taxonomy Rating (VRT), and initial bug priorities (and thus, the rewards) will be decided on the basis of VRT. However, in some cases the Bug priority can be revised (with consequent impact on the rewards) because of the likelihood of occurrence and impact on the below-mentioned Cloudways Targets. We reserve the right to change the priority and associated rewards of a vulnerability after assessing its impact.
Vulnerabilities that lie in “Non-Rewarded” section will only be rewarded Kudos points. These vulnerabilities are listed in the section below.
|Cross-Site Scripting (XSS)|
Please be aware that Cloudways may take up to three weeks to accept any given submission and allocate the reward. No rewards should take longer than three weeks to process.
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||$600 - $1,500|
|p2 Severe||$300 - $600|
|p3 Moderate||$100 - $300|
|p4 Low||$50 - $100|
Any Cloudways domain/subdomain/property not listed in this Targets section is out of the scope of this program.
Detailed Target Information:
The Cloudways Bug Bounty Program focuses on the following three areas:
1. Cloudways Platform
Cloudways Platform is the primary target for this program.
Cloudways Platform is the main interaction point for Cloudways customers. Through the Platform, customers could launch managed cloud servers and then set up their application on these servers. Once the application is up, Cloudways Platform provides users with options to manage their servers and applications.
The Cloudways Platform should be tested from the user’s perspective. In addition to the standard VRT vulnerabilities, we invite you to test the Platform as per the "Focus Areas" section below.
2. Cloudways API
Cloudways API offers an alternative to the Cloudways Platform. Many, but not all actions that Cloudways Platform allows through the UI can also be performed through Cloudways API.
In the event where a vulnerability is applicable to both the Platform & API, it will be treated as one reported incident.
For API Docs, refer to the link: https://developers.cloudways.com/docs/
3. Cloudways Developers
Cloudways Developers authorizes the API key to use Cloudways API. The vulnerability testing of this target should focus on the process of API authorization ONLY. All other areas on Cloudways developers are strictly OUT OF SCOPE.
Test Account Provisioning:
The following are the requirements for setting up your Cloudways platform test account:
- Register ONLY with your @bugcrowdninja.com email at the Cloudways Signup page.
While testing Cloudways targets from a user’s perspective, your efforts should be directed towards the following areas:
1. Testing of Cloudways Platform and API with focus on:
- Any action(s) which a user is not authorized to perform via Platform or API and can cause security breaches in the Cloudways infrastructure as a result of these actions .
- Access to sensitive information including but not limited to Passwords, API keys and Personal data of customers.
- Cross-account login/ operations via Platform and API.
2. Testing of underlying Management & Orchestration layer used by Cloudways Platform and API to manage customer servers, which may include:
- Any malicious activity from orchestration layer on a single or multiple servers.
Please note that if you find any exploits, please BE CAREFUL when testing and inform Cloudways prior to any invasive or impactful testing.
You are NOT ALLOWED to take any vulnerability (fixed or otherwise) Public at any time. In all cases, you should report the discovered vulnerabilities through the appropriate channels.
- The reports MUST include clear steps (Proof of Concept) to reproduce and re-validate the vulnerability. You can attach videos, images in standard formats.
- Testing should ONLY be done on and through the account(s) that you own.
Prohibited Actions/Activities during testing:
- Launching servers greater than 4GB.
- Creating Cloudways Support tickets.
- Using Cloudways servers for any illegal activities including but not limited to hosting malicious and phishing websites, abusing server bandwidth to carry out DDoS attacks, brute force attacks, spamming, and running cryptocurrency mining scripts.
- Hosting personal or commercial websites on the Cloudways servers launched through the provided account.
- Social engineering attacks of any kind.
- If you find any sensitive information (e.g Passwords or API keys), do not attempt to validate them; simply report directly to Cloudways.
- Destruction, modification and corruption of data is strictly prohibited.
- Researcher should not launch more than 3 servers in account.
- If we find researcher account violating these rules, then these servers will be removed without notice.
- Servers that are launched through the Cloudways Platform, as well as any applications running on those servers, are out of scope. Only the server and application management features that directly affect the Platform, and not the servers or applications, are in scope.
- Embedded database manager in Cloudways Platform.
- Third-party Services: Any target that redirects to a third-party URL/service by changing the URL in the browser’s address bar is out of scope. This also includes Cloudways URLs which are not part of the target section.
- Customer support channels including but not limited to chats, support tickets, emails, etc.