Vulnerability disclosure policy

At DoubleCloud we take the protection of our customers’ data very seriously.

The DoubleCloud security team acknowledges the valuable role that independent security researchers play in cybersecurity. As a result, we encourage responsible reporting of any vulnerabilities found on our website or applications. DoubleCloud is committed to working with security researchers to verify and address any potential vulnerabilities reported to us.

Please review these terms before you test and report a vulnerability. DoubleCloud pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as they adhere to this policy.

Testing for security vulnerabilities

Please conduct all vulnerability testing against your DoubleCloud trial accounts.

Reporting a potential security vulnerability

All vulnerability submissions, whether via DoubleCloud disclosure program or bug bounty, must adhere to the rules specified below.

To report security or privacy issues affecting DoubleCloud products or web servers, please contact us at security@double.cloud.

The DoubleCloud Security PGP key can encrypt sensitive information sent via email. When we receive your email, we will send an acknowledgment in reply. If you don't get this email, please check the email address and send it again. We will respond if we need further information to investigate a security issue. Please provide details of the suspected vulnerability, so the DoubleCloud security team may validate and reproduce the issue.

For the protection of our customers, DoubleCloud generally only discloses, discusses, or confirms security issues once a full investigation is complete and any necessary patches or releases are available.

DoubleCloud signature verification

Notifications published by DoubleCloud Security are signed with the DoubleCloud Security PGP key . We strongly encourage you to verify the signature to ensure the document was indeed written by our staff and has not been changed.

DoubleCloud vulnerability reporting policy

Program and scope

In-scope and out-of-scope targets are described below. The exact scope applies whether you submit a finding under standard disclosure terms through our coordinated disclosure terms (described below).

In-scope and out-of-scope

Warning

Anything not explicitly defined as in-scope is by default out-of-scope.

In-scope items Out-of-scope items
app.double.cloud *.double.cloud
double.cloud trust.double.cloud

Please understand that third-party services not owned by DoubleCloud are not eligible. While we strive for secure integrations, we cannot ensure that our policies apply to the services of other companies.

Evaluations and expectations

Explain the vulnerability impact. When in doubt, the question always comes down to the vulnerability's potential impact (i.e., what can be done with the vulnerability and what is the consequence to DoubleCloud). If you can demonstrate why a finding has a significant impact, please submit that information.

Chaining bugs

Chaining bugs is not frowned upon in any way. However, suppose you have managed to compromise a DoubleCloud-owned server; in that case, we do not allow for escalations such as port scanning internal networks, privilege escalation attempts, attempting to pivot to other systems, etc.

If you get this level of access to a server, please report your findings to us immediately, and we will reward you with an appropriate bounty, taking into full consideration the severity of what could be done.

Reporting

To prioritize security and respect your research, we ask that you:

  • Contact us immediately if you come across any customer, user, or personal data. Do not view, alter, copy, save, store, transfer, download, or access this data; immediately delete any local data upon reporting the vulnerability to us.

  • Write clear and detailed reports so we can verify the vulnerability.

  • Give us a reasonable amount of time to respond to the issue and respect our standard disclosure terms if you choose not to receive a bounty reward and publish your findings.

  • Do not modify our data, content, or any customer or user’s data or content.

  • Only use your account or test accounts for security research purposes.

  • Please be respectful of our existing application and do not test for spam, use automated vulnerability scanners, social engineering, or denial of service issues.

  • We encourage you to act in good faith to avoid privacy violations, data destruction, and any interruption or degradation of our services, including DoS (denial of service).

Valid reports

We ask that you write clear and concise reports to enable us to make a determination. Please include your methodology step-by-step and only submit it after you verify your bug. Please use the following template:

Discovered by

Reporter's email address

Affected service

Service name(s)

Issue type

A short description of the issue

Report date

The date in DD.MM.YYYY format on which the report was submitted

Public release date

The date in DD.MM.YYYY format on which the report may be released to the public

CVE identifier

Optional field. Provide if available. For more information, see the official CVE reference .

CWE identifier

A 4-digit CWE ID. For reference, use the list of most common software and hardware weakness types .

CVSS v3 rating

A CVSS vulnerability score in N.NN format. For more information, see the CVSSS Score in-depth overview .

Description

Fully describe the issue and its impact.

Step-by-step proof of concept

Step-by-step technical details to reproduce the issue. Please provide as much detail as possible to allow us to triage and respond quickly.

Recommendations

This is optional, but we appreciate feedback from researchers.

Timeline

This is optional, but it’s helpful for researchers to keep a timeline of communications so that all parties are in sync.

Full write-up

This is optional, but we recognize that some vulnerabilities require a longer explanation, details, or background. We reserve this section for such items.

In case you comply with the terms of this policy when reporting a potential security issue to us, we will not pursue civil action or file a complaint with law enforcement for accidental, good-faith violations of this policy.

We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. We will not bring a Digital Millennium Copyright Act to claim against you for circumventing the technological measures we have used to protect the applications in scope.

Suppose a third party initiates legal action against you, and you have complied with this policy, including any applicable program rules or other incorporated terms. In that case, DoubleCloud will take steps to make it known that your actions were conducted in compliance with this policy.

Coordinated disclosure terms

DoubleCloud takes a responsible disclosure stance for vulnerabilities submitted to us directly. Suppose you disclose a vulnerability to us directly. In that case, you agree to give us a reasonable amount of time to investigate and fix the issue before publicly disclosing or sharing the information with any other person or third party.

We will strive to fix this, allow disclosure within industry standard timelines, and may extend this period as needed based on the vulnerability, complexity, and potential effects. If you choose to be compensated for your bug and report your findings, you may not disclose the bug publicly or to any other person or third party. This standard disclosure term will govern these submissions, and the bounty rewards payment you receive is subject to the terms therein.

Payouts

For bounty rewards, the following terms apply:

  • We will only reward the individual that is the first to report a vulnerability to us and will not reward informative reports.

  • Violation of this policy, disclosure of the vulnerability subject to the coordinated disclosure terms, or any other public disclosure of the vulnerability before resolution may result in canceling a pending reward.

  • We reserve the right to disqualify individuals from the program for disrespectful, disruptive, or otherwise inappropriate behavior.

  • We reserve the right to ask you for more details or updates to your report to make a determination.

  • We reserve the right to determine the reward amount and whether it should be granted, including paying more or less based on the vulnerability.

Other terms

While we encourage you to discover and report to us any vulnerabilities you find responsibly, the following conduct is expressly prohibited:

Report criteria

  • Business Impact (how does this affect DoubleCloud?)

  • Quality of report

    • Steps to reproduce

    • Working proof of concept

  • Discoverability (how likely is this to be discovered)

  • Exploitability (how likely is this to be exploited)

Restrictions

  • No automated scanning

  • No DoS - we prohibit this activity, and testing clusters are not scaled for these attacks

  • Do NOT contact DoubleCloud support for vulnerability reporting related concerns - please contact security@double.cloud.

The following finding types are specifically excluded from the bounty:

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages

  • Fingerprinting/banner disclosure on common/public services

  • Disclosure of known public files or directories (e.g., robots.txt)

  • Clickjacking and issues only exploitable through clickjacking

  • CSRF on forms that are available to anonymous users (e.g., log-in or contact form)

  • Logout / Login Cross-Site Request Forgery (logout CSRF)

  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality

  • No Captcha / Weak Captcha / Captcha Bypass

  • Login or Forgot Password page brute force and account lockout not enforced

  • HTTP method enabled

    • OPTIONS, PUT, GET, DELETE, INFO
  • WebServer Type disclosures

  • Social engineering of our employees or contractors

  • Physical attacks against DoubleCloud offices and data centers

  • Error messages with non-sensitive data

  • Non-application layer Denial of Service or DDoS

  • Lack of HTTP Only / SECURE flag for cookies

  • Username / email enumeration

    • via Login Page error message

    • via Forgot Password error message

  • Missing HTTP security headers, specifically, e.g.

    • Strict-Transport-Security

    • Referrer-Policy

    • Permissions-Policy

    • X-Frame-Options

    • X-XSS-Protection

    • X-Content-Type-Options

    • Content-Security-Policy, X-Content-Security-Policy

    • Content-Security-Policy-Report-Only

  • SPF / DMARC / DKIM Mail and Domain findings

  • Email Rate Limiting or Spamming

  • DNSSEC Findings

  • CSV Issues

  • AV Scanning

  • SSL Issues, e.g.

    • SSL Attacks such as BEAST, BREACH, Renegotiation attack

    • SSL Forward secrecy not enabled

    • SSL weak / insecure cipher suites

  • Cookie Issues

    • HTTPONLY

    • SECURE

    • multiple cookie setting

  • Service Rate Limiting

  • User or Account enumeration

  • Business Logic READ Issues

DoubleCloud security commitment

We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the DoubleCloud security team will use reasonable efforts to:

  • Respond on time, acknowledging receipt of your vulnerability report.

  • Provide an estimated time frame for addressing the vulnerability report.

  • Notify you when the vulnerability has been fixed.

We are happy to thank every researcher who submits a vulnerability report to help us improve our overall security posture at DoubleCloud.

DoubleCloud PGP key

Due to the sensitive nature of security information, DoubleCloud provides a method for you to:

  • Verify the authenticity of security notifications

  • Encrypt messages to send to DoubleCloud via security@double.cloud

Obtain PGP

You can download free software for generating PGP keys from https://gnupg.org/download/index.html.

The DoubleCloud PGP key has an operational life span of two years. When we generate a new key, it will be available from https://double.cloud/.well-known/pgp-key.txt.

Check our PGP signature on mail messages and documents

Documents developed by the DoubleCloud Security team are signed with the DoubleCloud PGP key. We encourage you to check the signature to ensure the document was indeed written by our staff and has not been changed.

Encrypting sensitive information

When sending sensitive security information by email, please encrypt it with this PGP key .

See also