Wanclouds Bug Bounty Program

Program Overview

At Wanclouds, we take security seriously and aim to protect our users' data and privacy. As part of our ongoing commitment to security, we have launched a Bug Bounty Program to encourage the responsible disclosure of vulnerabilities in our systems.

We invite independent security researchers and ethical hackers to participate and help us find vulnerabilities before they can be exploited.

Scope of the Program

In Scope

We welcome testing of the following systems:

• Web Applications: vpc.wanclouds.net
• Other Systems

Out of Scope

Please do not test the following:

• Social Engineering: Phishing, impersonation, or any form of social engineering is strictly prohibited.
• Denial of Service: Do not attempt to disrupt services or perform stress testing.
• Third-party services: If we use third-party services, they are not within the scope unless explicitly mentioned.

Excluded Vulnerabilities

The following types of vulnerabilities are not eligible for rewards:

• Known vulnerabilities that are publicly documented
• Vulnerabilities in outdated software versions that are no longer supported
• Minor issues such as cosmetic UI bugs, spelling mistakes, etc.
• Issues that are not exploitable in a production environment

Reporting Guidelines

To ensure your report is actionable, please include the following information:

• Detailed Description: A clear explanation of the vulnerability you found.
• Steps to Reproduce: Step-by-step instructions on how to replicate the issue.
• Impact: A description of the potential damage or exploitation.
• Proof of Concept (PoC): If applicable, a demonstration or code illustrating the issue.
• Environment: Information about the environment where the vulnerability was discovered (e.g., browser version, OS, etc.).

How to Report

You can report vulnerabilities directly by email at: [email protected]

What Happens After I Report?

1. Acknowledgment: You'll receive a confirmation email that your submission has been received.
2. Triage: Our security team will verify, assess, and assign a severity level to the vulnerability.
3. Fix & Remediation: We'll work on resolving the issue and may reach out for additional information or clarification.
4. Disclosure: We will notify you when the vulnerability has been fixed and when it will be publicly disclosed, if applicable.

Vulnerability Severity Classification

We classify vulnerabilities according to the following scale:

• Critical: Vulnerabilities that can lead to remote code execution, data breaches, or complete system compromise.
• High: Issues that can lead to significant data loss, privilege escalation, or other significant security impacts.
• Medium: Vulnerabilities with moderate risk that could still have an impact if exploited.
• Low: Minor issues with little to no impact on security.

Program Rules and Legal Considerations

• Legal Compliance: All participants must comply with applicable laws and regulations while testing.
• No Data Breach: Do not access, download, or exfiltrate sensitive customer data. If you inadvertently discover such data, report it immediately and avoid accessing it.
• Confidentiality: Do not publicly disclose vulnerabilities until they have been fixed and we have given permission.
• Do not Engage in Social Engineering: Avoid any form of phishing, impersonation, or attacks aimed at employees, customers, or users.

By participating in this program, you agree to adhere to the above rules and guidelines.

Frequently Asked Questions

Q1: What if I find a vulnerability in a third-party service you use?

If the issue is specific to a third-party service, we recommend reporting it directly to them. However, if the issue affects our systems or services in any way, please notify us.

Q2: How long will it take for a vulnerability to be fixed?

The time to fix a vulnerability depends on its severity. Critical issues will be addressed immediately, while less severe issues may take longer.

Q3: Can I test your system anytime?

Please ensure that your testing complies with our rules of engagement. We recommend testing during off-peak hours to minimize potential disruption.

Contact Us

If you have any questions regarding the Bug Bounty Program or need further clarification, please reach out to us at [email protected]

Conclusion

By participating in our Bug Bounty Program, you'll be helping us ensure the security of our systems and protect our users. We value the contributions of ethical hackers and are excited to work together to make Wanclouds even more secure.