Summary #
At xCloud, we prioritize top-notch security and vulnerability disclosure protocols. Our team puts in the effort to safeguard user data, though we acknowledge that no system is entirely immune to potential risks. Hence, we welcome the open and responsible reporting of vulnerabilities via our Security and Vulnerability Disclosure Program. Through collaboration, we aim to enhance the safety and security of our users’ experience.
How To Report Security Issues #
We value the help of security researchers and the public in spotting potential issues. If you think you’ve found a security problem in our xCloud system, please let us know promptly.
Here’s how you can reach out:
Send an email to support@xcloud.host or visit this link to provide as much detail as you can about the potential problem, including:
- Description of the issue
- Steps to recreate it
- How it could affect our users
- Any other useful information or resources
Instructions #
We kindly request that you:
- Refrain from exploiting any vulnerabilities you find.
- Avoid any actions that could compromise the reliability or integrity of our services or data.
- Hold off on publicly sharing the bug until xCloud has had the chance to address it.
Prerequisites and Ethical Reporting #
- You must follow all relevant laws.
- Only use your own test accounts to find vulnerabilities in xCloud’s products, services, or code.
- Accessing or changing user data without the account owner’s permission is strictly forbidden.
Acknowledging Security Measures #
After you’ve reported a vulnerability, here’s what you can anticipate from us:
- We’ll send you an acknowledgment email within 3 business days of receiving your report.
- Our team will assess the reported vulnerability to confirm its validity.
- If the issue is confirmed, we’ll promptly address it and keep you updated on our progress.
- Upon resolution, we’ll recognize your contribution in our release notes, unless you prefer to remain anonymous.
Rules Of Engagement #
- NEVER target xCloud users or their resources (e.g. Servers, Sites, Teams, etc.). This is strictly prohibited. ONLY test against your own accounts and resources.
- Please make sure to provide detailed reports with reproducible steps for any vulnerabilities found. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for reputation.
- If the same issue is reported by multiple people, we will only recognize the first report with a clear description and steps to reproduce it.
- Please help make a good faith effort to avoid privacy violations, destruction of data, or service degradation.
- If you find a vulnerability, please do not exploit it beyond a proof-of-concept. Do not dump the database, do not pull unnecessary files or information
- Do not perform any DoS or DDoS, social engineering, or physical attacks against xCloud, WPDeveloper, or our users.
- Do not host personal or commercial servers or sites under your testing account. We may delete/remove your testing account without any prior notice.
- When testing xCloud, do not launch servers greater than 4GB, and do not launch more than 3 concurrent servers at a time.
The Following Domains Are In Scope #
- xcloud.host – Priority: Medium
- app.xcloud.host – Priority: Critical
- xCloud Playground – Priority: Medium
Domains not listed above are out of scope.
Out Of Scope Domains #
- Any domains or resources not mentioned in the previous list are out-of-scope.
- Any resource used as a staging platform by the xCloud team is strictly prohibited.
- Any domains or resources used by the xCloud users are out-of-scope.
Qualifying Vulnerabilities #
xCloud will accept reports of any vulnerability that substantially affects the confidentiality or integrity of any eligible xCloud service. Eligible vulnerabilities include, but are not limited to:
- Remote Code Execution (RCE)
- Privilege Escalation and Cross Instance Data Leakage/Access
- Server-side injection vulnerabilities, including SSRF, SQL, and XML injection
- Client-side vulnerabilities, including Stored XSS and CSRF attacks (only high impact)
- Directory traversal that exposes sensitive information
- Disclosure of sensitive or personally identifiable information
- Access Control Vulnerabilities (BAC, IDOR, etc.)
- Broken authorization leads to access to other xCloud user records
- Significant security misconfiguration with a verifiable vulnerability
- Exposed system credentials, disclosed by xCloud or its employees, that pose a valid risk to an in-scope asset
Non-Qualifying Vulnerabilities #
The following vulnerability types will not qualify for the Vulnerability Disclosure Program and should not be tested by any security researchers:
- Automated scan output without any real proof-of-concept and impact
- Password complexity requirements
- Email verification/validation issues
- Source code disclosure vulnerabilities
- Email bombing
- Lack of rate limiting
- Vulnerabilities in users’ own infrastructure or virtual private servers (VPS), including websites, databases, etc. These should be reported to the respective server providers or vendors.
- Self-XSS reports will not be accepted
- Clickjacking attacks
- Content Spoofing
- Missing security-related HTTP headers without any proof of exploitability.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies
- Weak Captcha / Captcha Bypass
- Username/email enumeration
- Phishing attacks on users
- Social Engineering Attacks
- Missing or incorrect SPF records of any kind
- Missing or incorrect DMARC records of any kind
- DNS configuration and SSL-related issues
- Server configuration issues
- Banner or version disclosures
- DoS/DDoS attacks, brute force
- Blackhat SEO techniques
- CSV Injection
- Any submission determined to be low risk, based on theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact
- Vulnerabilities on third-party libraries without showing specific impact on the target application (e.g. a CVE with no exploit)
- Exposed credentials that are either no longer valid or do not pose a risk to an in-scope asset
- Broken links in blog pages
- Any bug that relies upon an outdated browser
- Hacking discount coupons
- Issues where paid features are accessible on free accounts with no inherent “security” implications
Report Submission Requirements #
To report a valid bug please include the following information:
- Full description of the vulnerability being reported, including the exploitability and impact
- Evidence and explanation of all steps required to reproduce the submission, which may include:
- Videos or Step-by-step screenshots
- Exploit code
- Traffic logs
- Web/API requests and responses
- IP address used during testing
* Submit the testing account details used by the researcher. This is mandatory.
Changes To Program Terms #
The Vulnerability Disclosure Program, including any or all of its policies, is subject to change or cancellation by xCloud at any time, without any prior notice. By continuing to participate in the Vulnerability Disclosure Program, you accept the Program Terms, as modified.
Recognition #
We recognize the effort and commitment required to uncover security vulnerabilities. As a gesture of gratitude for helping us maintain xCloud’s security, we offer a reward for the disclosure of any confirmed and resolved security vulnerabilities. We will add you to our Hall Of Fame page as one of our valued members. Please note that eligibility for this reward is discretionary and assessed on a case-by-case basis.
Is There a Bug Bounty Program for xCloud? #
xCloud currently does not offer a bug bounty program. While such programs can uncover different flaws, they sometimes attract many people interested in monetary gain rather than genuinely enhancing the platform. Therefore, we chose not to compensate for the bug bounty program.
At xCloud, our commitment lies in furnishing a secure environment for all users. Your assistance in identifying areas for improvement is invaluable. Together, we can uphold xCloud as a reliable hosting solution for WordPress.