Cloudability understands and values the trust our customers place in us. We take security very seriously, and investigate all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in any aspect of our services.
If you believe you have discovered a vulnerability in Cloudability, contact us as described below. So that we may more rapidly and effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.
If you would like to report a vulnerability, you may do so by submitting a CVSS standard report (https://www.first.org/cvss/specification-document) to firstname.lastname@example.org including a demonstrable example of the vulnerability.
We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
Once the report has been reviewed, Cloudability will work to validate the reported vulnerability and reproduce it. If additional information is required in order to validate or reproduce the issue, we will work with you to obtain it. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and public disclosure.
If the issue cannot be validated, or is not found to be a flaw in a Cloudability product, this will be shared with you.
In order to protect our customers, Cloudability requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.