By participating in this program, you agree to

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Program Rules

• You are NOT ALLOWED to take any vulnerability (fixed or otherwise) Public at any time. In all cases, you should report the discovered vulnerabilities through the appropriate channels.
• While testing, please only test against your own accounts and resources. Targeting Cloudways users or their resources is NOT allowed.
• Do not host personal or commercial applications on servers underneath your @intigriti.me Cloudways account.
• You are allowed to only launch one 2GB server or two 1GB servers. No additional servers are permitted.
• While testing, we encourage (but do not require) you to include a custom HTTP header in all your requests.
  • Providing such information will assist us with correlating your traffic to your research and expedite our ability to validate your report.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a bounty.
• Multiple vulnerabilities caused by one underlying issue will be considered one issue.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Please help make a good faith effort to avoid privacy violations, destruction of data, or service degradation.

Prohibited Actions/Activities during testing

• Launching more than one server of 2 GB or more than two servers of 1 GB.
• Creating Cloudways Support tickets.
• Using Cloudways servers for any illegal activities including but not limited to hosting malicious and phishing websites, abusing server bandwidth to carry out DDoS attacks, brute force attacks, spamming, and running cryptocurrency mining scripts.
• Hosting personal or commercial websites on the Cloudways servers launched through the provided account.
• Social engineering attacks of any kind.
• If you find any sensitive information (e.g Passwords or API keys), do not attempt to validate them; simply report directly to Cloudways.
• Destruction, modification and corruption of data is strictly prohibited.
• Researchers should not launch more than 3 servers in account.
• If we find a researcher account violating these rules, then these servers will be removed without notice.

Validation times
We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Cloudways will make a best effort to meet the following SLAs for hackers participating in our program.
The following SLAs are in business days (Mon-Fri) and may exclude days where there are regional holidays in the countries where our Cloudways staff are located.

We'll do our best to keep you informed about our progress throughout the process.

Check our fix
We offer up to $50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of Cloudways to award.

Cloudways does not leverage CVSS for its severity assessment. Instead, we take a contextual look at impact and likelihood of a vulnerability and determine the commensurate risk to our business or customers between Informational, Low, Medium, High, or Critical. This means that you can be sure, real experienced security professionals are looking at all the details of your report to determine the severity and resulting bounty payment; you're not limited by what an algorithm dictates. When we triage issues, we will provide justification as to our severity decision if it differs from yours. Please note that our severity table ends at Critical. We will only consider the Exceptional tier for truly monumental impact to the organization.

When deciding what severity to set on your report, you may use CVSS, CWSS, SSVC, EPSS, or any other combination of tools to help you determine an accurate threshold. Please do not mark every issue a Critical/High severity unless you have reasonable justification for doing so.
Cloudways will only issue monetary rewards for reports demonstrating meaningful impact. If Cloudways decides to offer a reward for a vulnerability report, the value of the reward will be based on the impact and severity of the reported vulnerability, to be determined by Cloudways in its sole discretion. Awards are granted entirely at the discretion of Cloudways.

For this reason, we strongly encourage researchers to spend extra time to provide a realistic attack/threat scenario adapted to our business. This will increase the chance of receiving a higher bounty.

At Cloudways’s discretion, providing more complete research, proof-of-concept code, and detailed writeups may increase the bounty awarded. Conversely, Cloudways may pay less for vulnerabilities that require complex or over-complicated interactions for which the impact or security risk is negligible.

How can I create an account?

You can self-register on the application but please don’t forget to use your @intigriti.me address.

• Please create dedicated testing accounts for any Cloudways security research engagement. This allows our teams to know if any anomalous activity is associated with Intigriti or potential bad actors.
• Feel free to sign up for new accounts on platform.cloudways.com using your userid@intigriti.me
• While testing, we encourage (but do not require) you to include a custom HTTP header in all your requests, X-BBP-Researcher: {Username}.
• If you are testing with an account that does not use an @intigriti.me email address, we may take action against it for perceived malicious activity (account locks, bans, etc.).
• Once you have finished testing, don't forget to spin down resources to avoid any undue consumption.
• Free trial lasts for 60 days after which the researcher will be charged according to the payment plan.