CloudCannon Bug Bounty

Welcome to CloudCannon's bug bounty programme. If you believe you've found a critical vulnerability please follow the steps below and create a bug report. While we appreciate all submissions, only critical bugs are within scope.

Scope

Only the CloudCannon app (app.cloudcannon.com) is within scope. Other sub-domains will not be considered for bug bounties. At this stage we will only be assessing critical vulnerabilities.

Illustration of two people having a conversation

Rewards

CloudCannon will award valid reports based on the scope and severity of each report. Monetary rewards are paid by Wise Bank transactions only. Any charges incurred for Wise transactions will not be covered by CloudCannon. The rewards are as follows:

  • Critical Severity Reports $50 - $100 USD
  • Moderate Severity Reports $20 - $50 USD
Illustration of two hands toasting with champagne

Submission Process

Icon of a clipboard with writing on it
Check Scope

Confirm the bug fits within the scope defined in the Bug Bounty Policy

Icon of a clipboard with a down arrow
Submit Report

Submit your report which includes clear, concise and reproducible steps to replicate the issue.

Image of a clipboard with a tick
Confirmation

The CloudCannon support team will make contact within five working days to acknowledge we have received your report.

Icon of a clipboard with a dollar sign
Assessment & Rewards

CloudCannon will assess the report and will offer a reward based on severity and current scope. This may take several days of deliberation.

Bug Bounty Policy

Bounty Qualification

Only critical vulnerabilities that demonstrate complete compromise of the system’s integrity or confidentiality are eligible for a bounty. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.

It’s important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of CloudCannon. CloudCannon have the final decision on which issues constitute security vulnerabilities.

Disclosure Policy

Do:

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Making many substantially similar reports will only be eligible for one bounty award, and marked as duplicate. For example, the same vulnerability reported across multiple sub-domains. Please consolidate issues into a single report.

Don’t:

  • Do not make any information public until the issue has been resolved.
  • Do not access or modify data that does not belong to you - create a free account to test with.

Exclusions

While researching, we’d like to ask you to refrain from:

  • Denial of service
  • Rate limiting
  • Spamming
  • Social engineering (including phishing) of CloudCannon staff or contractors
  • Any physical attempts against CloudCannon property or data centers
  • Site sharing functionality (In development)
  • Org sharing functionality (In development)

We do not cover TransferWise fees for international transactions, credit card transactions or any other services. TransferWise may deduct this from the amount sent to the payee.

Safe Harbour

Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping to keep CloudCannon and our users safe!

Person receiving letter from another person

Submit Report

Please provide as much information as possible about the potential issue you have discovered. The more information you provide, the faster CloudCannon will be able to validate the issue.

Person receiving letter from another person