By participating in this program, you agree to

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Program Rules

• You are NOT ALLOWED to take any vulnerability (fixed or otherwise) Public at any time. In all cases, you should report the discovered vulnerabilities through the appropriate channels.
• While testing, please only test against your own accounts and resources. Targeting Cloudways users or their resources is NOT allowed.
• Do not host personal or commercial applications on servers underneath your @intigriti.me Cloudways account.
• Please do not launch servers greater than 4 GB and do not launch more than 3 concurrent servers at a time.
• While testing, we encourage (but do not require) you to include a custom HTTP header in all your requests.
  • Providing such information will assist us with correlating your traffic to your research and expedite our ability to validate your report.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a bounty.
• Multiple vulnerabilities caused by one underlying issue will be considered one issue.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Please help make a good faith effort to avoid privacy violations, destruction of data, or service degradation.

Prohibited Actions/Activities during testing

• Launching servers greater than 4GB.
• Creating Cloudways Support tickets.
• Using Cloudways servers for any illegal activities including but not limited to hosting malicious and phishing websites, abusing server bandwidth to carry out DDoS attacks, brute force attacks, spamming, and running cryptocurrency mining scripts.
• Hosting personal or commercial websites on the Cloudways servers launched through the provided account.
• Social engineering attacks of any kind.
• If you find any sensitive information (e.g Passwords or API keys), do not attempt to validate them; simply report directly to Cloudways.
• Destruction, modification and corruption of data is strictly prohibited.
• Researchers should not launch more than 3 servers in account.
• If we find a researcher account violating these rules, then these servers will be removed without notice.

Validation times
We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Cloudways will make a best effort to meet the following SLAs for hackers participating in our program.
The following SLAs are in business days (Mon-Fri) and may exclude days where there are regional holidays in the countries where our Cloudways staff are located.

We'll try to keep you informed about our progress throughout the process.

Check our fix
We offer up to $50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of Cloudways to award.

Introduction
Cloudways by DigitalOcean is a managed web hosting platform that specialises in providing an easy-to-manage environment for web applications.
The idea behind offering bounty for bugs is to tap into the expertise of the InfoSec community and discover the gaps in Cloudways’s security. The emphasis is on offering a secure user experience to our customers and to ensure that the Cloudways Platform remains the most secure managed hosting option for our users.

Looking for other DigitalOcean assets? Take a look at our other bug bounty programs:

• DigitalOcean

High Impact Findings
We are particularly interested in findings that enable widespread compromise of other customers or penetrate Cloudways’s core backend systems. These behaviors are not limited to specific vulnerability categories, but some examples include:

• Broken authorization leading to access of other Cloudways customer records
• Remote code execution on core Cloudways infrastructure
• Cross-machine attacks to break the multi-tenancy architecture

Acceptable PoCs

• Command execution: whoami, hostname, uname
• File reads: /etc/hostname
• File writes: /tmp/bbp_<intigriti username>
• SQL injection: basic evidence (' OR 1='1 causes all rows to return and ' AND 0='1 causes zero rows to return) is fine, but feel free to extract the username of the database user as well

Applications to Focus
The Cloudways Bug Bounty Program focuses on the following applications:

1. Cloudways Platform
Cloudways Platform is the primary target for this program.

• Flexible (https://platform.cloudways.com/)
  Flexible is the main interaction point for Cloudways customers.
• Autonomous (https://unified.cloudways.com/)
  New UI along with new api and backend to handle all the services of Cloudways
• Cloudways Api (https://api.cloudways.com/)
  Many, but not all actions that Cloudways Platform allows through the UI can also be performed through Cloudways API
• Cloudways Developer (https://developers.cloudways.com/)
  Cloudways Developers authorizes the API key to use Cloudways API
• Client Billing
  Feature to automate and manage recurring invoices and payments
• DNS Made Easy
  DNS management tool to manage all the DNS records of the domain
• Astra Pro
  Astra is fast, fully customizable & beautiful WordPress theme suitable for blog, personal portfolio, business website and WooCommerce storefront
• Cloudflare
  Here you can check which of your Applications are bound to Cloudflare.
• Elastic Email
  Send high-volume transactional emails with exceptional value through Elastic Email
• Rackspace Email
  Email hosting service on Cloudways Platform
• SafeUpdates
  Automatically detects, tests & deploys WordPress updates
• Vulnerability Scanner
  The Vulnerability Scanner powered by Patchstack is specifically designed for real-time monitoring and notification of potential threats in the application components

As for the third party add-on i.e., DNS Made Easy, Astra Pro, Cloudflare, Elastic Email, Rackspace, SafeUpdates, Vulnerability scanner, etc. bug bounty program should focus on only the issues that will impact Cloudways environment directly.

2. Cloudways Website
Cloudways website is the corporate website that offers product details and related corporate information to visitors.

3. Ugurus Website
Ugurus website offers product details and related corporate information to visitors.

4. Ugurus Platform
Ugurus Platform is the main interaction point for Ugurus customers.

Focus areas
While testing Cloudways targets from a user’s perspective, your efforts should be directed towards the following areas:

1. Testing of Cloudways Platform and API with focus on

• Any action(s) which a user is not authorized to perform via Platform or API and can cause security breaches in the Cloudways infrastructure as a result of these actions .
• Access to sensitive information including but not limited to Passwords, API keys and Personal data of customers.
• Cross-account login/ operations via Platform and API.

2. Testing of underlying Management & Orchestration layer used by Cloudways Platform and API to manage customer servers, which may include

• Any malicious activity from the orchestration layer on a single or multiple servers.

Please note that if you find any exploits, please BE CAREFUL when testing and inform Cloudways prior to any invasive or impactful testing.

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here: Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Any Cloudways domain/subdomain/property not listed in the Domains section is out of the scope of this program, along with the following:

• Customer support channels, including but not limited to chats, support tickets, emails, etc.
• Servers launched by Cloudways customers on the Cloudways Platform, as well as any applications running on those servers, are out of scope.
• Embedded database manager in Cloudways Platform.

Please do not submit findings from automated scans unless you have verified and have high confidence that the vulnerable targets are part of Cloudways’s public infrastructure and have a demonstrated security impact. Repetitive submissions against Cloudways customers may result in expulsion from our program.

Out-of-Scope Applications

• learning.cloudways.com
• support.cloudways.com
• feedback.cloudways.com
• prepathon.cloudways.com
• status.cloudways.com
• tickets.cloudways.com
• track.cloudways.com
• tracking.cloudways.com
• try.cloudways.com

Any issues found on aforementioned applications or any other third-party owned application will not be entertained unless a direct impact on Cloudways owned services, softwares and infrastructure can be demonstrated.

Application

• Open redirection is out of scope (unless actual impact is shown, like chaining with other vulnerabilities to steal tokens, SSRF, etc.)
• Use of known vulnerable 3rd party library or software without a working proof of concept to prove the exploitability and impact
• Wordpress usernames disclosure
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that can't be used to exploit other users
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks aren't sufficient)
• Host header injection without proven business impact
• Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)
• Links on static content referencing 3rd party domains that no longer exist
• Leaked credentials found on third-party domains

General

• In cases where a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 30 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Reports that state that software is out of date/vulnerable without a proof-of-concept

Cloudways does not leverage CVSS for its severity assessment. Instead, we take a contextual look at impact and likelihood of a vulnerability and determine the commensurate risk to our business or customers between Informational, Low, Medium, High, or Critical. This means that you can be sure, real experienced security professionals are looking at all the details of your report to determine the severity and resulting bounty payment; you're not limited by what an algorithm dictates. When we triage issues, we will provide justification as to our severity decision if it differs from yours. Please note that our severity table ends at Critical. We will only consider the Exceptional tier for truly monumental impact to the organization.

When deciding what severity to set on your report, you may use CVSS, CWSS, SSVC, EPSS, or any other combination of tools to help you determine an accurate threshold. Please do not mark every issue a Critical/High severity unless you have reasonable justification for doing so.
Cloudways will only issue monetary rewards for reports demonstrating meaningful impact. If Cloudways decides to offer a reward for a vulnerability report, the value of the reward will be based on the impact and severity of the reported vulnerability, to be determined by Cloudways in its sole discretion. Awards are granted entirely at the discretion of Cloudways.

For this reason, we strongly encourage researchers to spend extra time to provide a realistic attack/threat scenario adapted to our business. This will increase the chance of receiving a higher bounty.

At Cloudways’s discretion, providing more complete research, proof-of-concept code, and detailed writeups may increase the bounty awarded. Conversely, Cloudways may pay less for vulnerabilities that require complex or over-complicated interactions for which the impact or security risk is negligible.

How can I create an account?

You can self-register on the application but please don’t forget to use your @intigriti.me address.

• Please create dedicated testing accounts for any Cloudways security research engagement. This allows our teams to know if any anomalous activity is associated with Intigriti or potential bad actors.
• Feel free to sign up for new accounts on platform.cloudways.com using your userid@intigriti.me
• While testing, we encourage (but do not require) you to include a custom HTTP header in all your requests, X-BBP-Researcher: {Username}.
• If you are testing with an account that does not use an @intigriti.me email address, we may take action against it for perceived malicious activity (account locks, bans, etc.).
• Once you have finished testing, don't forget to spin down resources to avoid any undue consumption.
• Free trial lasts for 60 days after which the researcher will be charged according to the payment plan.