Cloudonix Vulnerability Disclosure Policy

The following vulnerability disclosure policy addresses the procedures for reporting and handling disclosures for the following

properties that are in scope. 

If you would like to report vulnerabilities for any other service not listed, please do so by emailing security@cloudonix.io, though we do not guarantee any outcome nor even the possibility of receiving a reply.

 Services in scope

The following services are in scope of this vulnerability disclosure policy:

• Cloudonix commercial web properties: `cloudonix.io`, `www.cloudonix.io`
• Cloudonix API services: `api.cloudonix.io`, `api.*.cloudonix.io`
• Cloudonix SIP services: `sip.cloudonix.io`, `*.sip.cloudonix.io`, `wss.cloudonix.io`

Vulnerability Disclosure Procedure

For each of the above listed properties, if you discover a vulnerability – please send an email, with as much details as possible, to security@cloudonix.io. Please provide – at a minimum:

1. Your name and contact details
2. An accurate as possible reproduction with the specific details of the service and any settings required for reproduction – a disclosure without enough details to allow our security team to reproduce the issue will be disregarded.
3. A reference to any relevant standard or specification being violated.

Per service reward policy

Cloudonix commercial web properties

Cloudonix does not award rewards for vulnerability disclosure on our commercial web properties. These are considered

non-mission-critical and may contain multiple minor issues that are either deemed acceptable risk or are part of required

functionality – and that we have no intention of investing resources to “fix”.

Cloudonix API services

Cloudonix will award bounties for any vulnerability disclosure that results in fixing an issue that is either:

• Allows anonymous public access to disclose or modify non-public customer data or meta-data.
• Allows customer’s privileged access to disclose or modify non-public data or meta-data of other customers.
• Allows anonymous access to modify public customer data.
• Allows customer’s privileged access to modify public data of other customers.
• Causes a non-trivial, non-distributed, denial of service for other customers (i.e. not anonymous public access).

For the purpose of such disclosure, Cloudonix internal customer accounts are not considered customer accounts or non-public data.

Additionally Cloudonix deems customer’s privileged access gained by guessing customer controlled credentials, or by circumventing a third-party service, to be lawful access that is not a vulnerability.

Cloudonix SIP services

Cloudonix will award bounties for any vulnerability disclosure that results in fixing an issue that is either:

• Allows anonymous public access to create and terminate a SIP call.
• Allows anonymous public access to disclose information about other SIP sessions.
• Allows customer’s privileged access to disclose information about SIP sessions of other customers.

For the purpose of such disclosure, Cloudonix internal customer accounts are not considered customer accounts or non-public data.

Additionally Cloudonix deems customer’s privileged access gained by guessing customer controlled credentials, or by circumventing a third-party service, to be lawful access that is not a vulnerability.