By participating in this program, you agree to

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Program Rules

• You are NOT ALLOWED to take any vulnerability (fixed or otherwise) Public at any time. In all cases, you should report the discovered vulnerabilities through the appropriate channels.
• While testing, please only test against your own accounts and resources. Targeting Cloudways users or their resources is NOT allowed.
• Do not host personal or commercial applications on servers underneath your @intigriti.me Cloudways account.
• Please do not launch servers greater than 4 GB and do not launch more than 3 concurrent servers at a time.
• While testing, we encourage (but do not require) you to include a custom HTTP header in all your requests.
  • Providing such information will assist us with correlating your traffic to your research and expedite our ability to validate your report.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a bounty.
• Multiple vulnerabilities caused by one underlying issue will be considered one issue.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Please help make a good faith effort to avoid privacy violations, destruction of data, or service degradation.

Prohibited Actions/Activities during testing

• Launching servers greater than 4GB.
• Creating Cloudways Support tickets.
• Using Cloudways servers for any illegal activities including but not limited to hosting malicious and phishing websites, abusing server bandwidth to carry out DDoS attacks, brute force attacks, spamming, and running cryptocurrency mining scripts.
• Hosting personal or commercial websites on the Cloudways servers launched through the provided account.
• Social engineering attacks of any kind.
• If you find any sensitive information (e.g Passwords or API keys), do not attempt to validate them; simply report directly to Cloudways.
• Destruction, modification and corruption of data is strictly prohibited.
• Researchers should not launch more than 3 servers in account.
• If we find a researcher account violating these rules, then these servers will be removed without notice.

Validation times
We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Cloudways will make a best effort to meet the following SLAs for hackers participating in our program.
The following SLAs are in business days (Mon-Fri) and may exclude days where there are regional holidays in the countries where our Cloudways staff are located.

We'll try to keep you informed about our progress throughout the process.

Check our fix
We offer up to $50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of Cloudways to award.

Introduction
Cloudways by DigitalOcean is a managed web hosting platform that specialises in providing an easy-to-manage environment for web applications.
The idea behind offering bounty for bugs is to tap into the expertise of the InfoSec community and discover the gaps in Cloudways’s security. The emphasis is on offering a secure user experience to our customers and to ensure that the Cloudways Platform remains the most secure managed hosting option for our users.

Looking for other DigitalOcean assets? Take a look at our other bug bounty programs:

• DigitalOcean

High Impact Findings
We are particularly interested in findings that enable widespread compromise of other customers or penetrate Cloudways’s core backend systems. These behaviors are not limited to specific vulnerability categories, but some examples include:

• Broken authorization leading to access of other Cloudways customer records
• Remote code execution on core Cloudways infrastructure
• Cross-machine attacks to break the multi-tenancy architecture

Acceptable PoCs

• Command execution: whoami, hostname, uname
• File reads: /etc/hostname
• File writes: /tmp/bbp_<intigriti username>
• SQL injection: basic evidence (' OR 1='1 causes all rows to return and ' AND 0='1 causes zero rows to return) is fine, but feel free to extract the username of the database user as well

Applications to Focus
The Cloudways Bug Bounty Program focuses on the following applications:

1. Cloudways Platform
Cloudways Platform is the primary target for this program.

• Flexible (https://platform.cloudways.com/)
  Flexible is the main interaction point for Cloudways customers.
• Autonomous (https://unified.cloudways.com/)
  New UI along with new api and backend to handle all the services of Cloudways
• Cloudways Api (https://api.cloudways.com/)
  Many, but not all actions that Cloudways Platform allows through the UI can also be performed through Cloudways API
• Cloudways Developer (https://developers.cloudways.com/)
  Cloudways Developers authorizes the API key to use Cloudways API
• Client Billing
  Feature to automate and manage recurring invoices and payments
• DNS Made Easy
  DNS management tool to manage all the DNS records of the domain
• Astra Pro
  Astra is fast, fully customizable & beautiful WordPress theme suitable for blog, personal portfolio, business website and WooCommerce storefront
• Cloudflare
  Here you can check which of your Applications are bound to Cloudflare.
• Elastic Email
  Send high-volume transactional emails with exceptional value through Elastic Email
• Rackspace Email
  Email hosting service on Cloudways Platform
• SafeUpdates
  Automatically detects, tests & deploys WordPress updates
• Vulnerability Scanner
  The Vulnerability Scanner powered by Patchstack is specifically designed for real-time monitoring and notification of potential threats in the application components

As for the third party add-on i.e., DNS Made Easy, Astra Pro, Cloudflare, Elastic Email, Rackspace, SafeUpdates, Vulnerability scanner, etc. bug bounty program should focus on only the issues that will impact Cloudways environment directly.

2. Cloudways Website
Cloudways website is the corporate website that offers product details and related corporate information to visitors.

3. Ugurus Website
Ugurus website offers product details and related corporate information to visitors.

4. Ugurus Platform
Ugurus Platform is the main interaction point for Ugurus customers.

Focus areas
While testing Cloudways targets from a user’s perspective, your efforts should be directed towards the following areas:

1. Testing of Cloudways Platform and API with focus on

• Any action(s) which a user is not authorized to perform via Platform or API and can cause security breaches in the Cloudways infrastructure as a result of these actions .
• Access to sensitive information including but not limited to Passwords, API keys and Personal data of customers.
• Cross-account login/ operations via Platform and API.

2. Testing of underlying Management & Orchestration layer used by Cloudways Platform and API to manage customer servers, which may include

• Any malicious activity from the orchestration layer on a single or multiple servers.

Please note that if you find any exploits, please BE CAREFUL when testing and inform Cloudways prior to any invasive or impactful testing.

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here: Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Any Cloudways domain/subdomain/property not listed in the Domains section is out of the scope of this program, along with the following:

• Customer support channels, including but not limited to chats, support tickets, emails, etc.
• Servers launched by Cloudways customers on the Cloudways Platform, as well as any applications running on those servers, are out of scope.
• Embedded database manager in Cloudways Platform.

Please do not submit findings from automated scans unless you have verified and have high confidence that the vulnerable targets are part of Cloudways’s public infrastructure and have a demonstrated security impact. Repetitive submissions against Cloudways customers may result in expulsion from our program.

Out-of-Scope Applications

• learning.cloudways.com
• support.cloudways.com
• feedback.cloudways.com
• prepathon.cloudways.com
• status.cloudways.com
• tickets.cloudways.com
• track.cloudways.com
• tracking.cloudways.com
• try.cloudways.com

Any issues found on aforementioned applications or any other third-party owned application will not be entertained unless a direct impact on Cloudways owned services, softwares and infrastructure can be demonstrated.

Application-Specific Exclusions

1. Third-Party Vulnerabilities:
   1.1 Use of known vulnerable libraries/software without working proof of exploitability or impact.
2. Information Disclosure:
   2.1 Wordpress username disclosure.
   2.2 Verbose messages/files/directory listings without sensitive info.
   2.3 Banner grabbing/version disclosure.
3. OAuth/Authentication Issues:
   3.1 Pre-auth account takeover/OAuth squatting.
4. Low-Impact Client-Side Vulnerabilities:
   4.1 Self-XSS that cannot be used to exploit others.
5. Cross-Origin Resource Sharing (CORS):
   5.1 CORS Misconfiguration on non-sensitive endpoints.
6. Cookie and Security Headers:
   6.1 Missing cookie flags.
   6.2 Missing security headers.
7. Cross-Site Request Forgery Issues:
   7.1 Low/no impact CSRF attacks.
8. Rate Limiting:
   8.1 Bypassing rate-limits or the non-existence of rate-limits.
9. Outdated Browsers:
   9.1 Vulnerabilities affecting users with outdated/unpatched browsers (more than two versions behind).
10. File Upload Issues:
    10.1 Arbitrary file upload without proof of existence
11. Server-Side Request Forgery (SSRF):
    11.1 Blind SSRF without proven business impact (e.g., pingbacks).
12. Subdomain Issues:
    12.1 Subdomain takeover without actual takeover.
13. Metadata Handling Issues:
    13.1 Not stripping metadata from files.
14. Header Injection Vulnerabilities:
    14.1 Host header injection without proven business impact.
15. Outdated Domains & Static Links:
    15.1 Links on static content referencing outdated third-party domains.
16. Miscellaneous:
    16.1 Clickjacking without proven impact or unrealistic user interaction.
    16.2 Reverse tabnabbing.
    16.3 CSV injection.
    16.4 Autocomplete attribute on web forms.
    16.5 Non-invalidation of sessions (logout, enabling 2FA, etc.).
    16.6 Tokens leaked to third parties.
    16.7 Content injection without HTML modification.
    16.8 Email bombing.
    16.9 HTTP request smuggling with no proven impact.
    16.10 Homograph attacks.
    16.11 XMLRPC enabled.
    16.12 Anything related to email spoofing, SPF, DMARC or DKIM

General Exclusions

17. Publicly known processor Side-Channel Attacks:
    17.1 The reason this rule exists is because there is no safe way to test without a special setup. If you have strong reason to believe that an issue may impact our environment, please contact us at security@digitalocean.com and we'll work with you to set up an environment for safe testing.
18. Known Vulnerabilities:
    18.1 If a reported vulnerability is already known through other means, it will be flagged as a duplicate
19. Theoretical Issues:
    19.1 Security issues without realistic exploitation scenarios or requiring complex user interactions.
20. Physical & Social Engineering Attacks:
    20.1 Spam, social engineering, physical intrusion.
    20.2 Attacks needing physical access, man-in-the-middle, or compromised user accounts.
21. Denial of Service (DoS/DDoS):
    21.1 DoS/DDoS attacks or brute force attacks.
22. Outdated Software:
    22.1 Vulnerabilities in software that no longer receive security updates.
    22.2 Reports stating software is outdated/vulnerable without proof of concept
23. Zero-Day Vulnerabilities:
    23.1 Newly discovered zero-days within 30 days of public patch release (reportable but not bounty eligible).
24. Third-party source of secrets, such as employee credentials
    24.1 We do not award bounty rewards for the reporting of leaked secrets unless there is a specific vulnerability in our platform that lead to the secrets disclosure. If that is the case, please submit a report about that vulnerability instead.
    24.2 You may email us at security@digitalocean.com to inform us about leaked secrets in credential lists or public databases. While this will not be awarded a bounty payout, we appreciate good faith notices and will investigate your claim.

Cloudways does not leverage CVSS for its severity assessment. Instead, we take a contextual look at impact and likelihood of a vulnerability and determine the commensurate risk to our business or customers between Informational, Low, Medium, High, or Critical. This means that you can be sure, real experienced security professionals are looking at all the details of your report to determine the severity and resulting bounty payment; you're not limited by what an algorithm dictates. When we triage issues, we will provide justification as to our severity decision if it differs from yours. Please note that our severity table ends at Critical. We will only consider the Exceptional tier for truly monumental impact to the organization.

When deciding what severity to set on your report, you may use CVSS, CWSS, SSVC, EPSS, or any other combination of tools to help you determine an accurate threshold. Please do not mark every issue a Critical/High severity unless you have reasonable justification for doing so.
Cloudways will only issue monetary rewards for reports demonstrating meaningful impact. If Cloudways decides to offer a reward for a vulnerability report, the value of the reward will be based on the impact and severity of the reported vulnerability, to be determined by Cloudways in its sole discretion. Awards are granted entirely at the discretion of Cloudways.

For this reason, we strongly encourage researchers to spend extra time to provide a realistic attack/threat scenario adapted to our business. This will increase the chance of receiving a higher bounty.

At Cloudways’s discretion, providing more complete research, proof-of-concept code, and detailed writeups may increase the bounty awarded. Conversely, Cloudways may pay less for vulnerabilities that require complex or over-complicated interactions for which the impact or security risk is negligible.

How can I create an account?

You can self-register on the application but please don’t forget to use your @intigriti.me address.

• Please create dedicated testing accounts for any Cloudways security research engagement. This allows our teams to know if any anomalous activity is associated with Intigriti or potential bad actors.
• Feel free to sign up for new accounts on platform.cloudways.com using your userid@intigriti.me
• While testing, we encourage (but do not require) you to include a custom HTTP header in all your requests, X-BBP-Researcher: {Username}.
• If you are testing with an account that does not use an @intigriti.me email address, we may take action against it for perceived malicious activity (account locks, bans, etc.).
• Once you have finished testing, don't forget to spin down resources to avoid any undue consumption.
• Free trial lasts for 60 days after which the researcher will be charged according to the payment plan.