CloudDefense.AI Security Disclosure
Best Practices to follow
- Never, under any circumstances, whether via phone, text, or email, reveal sensitive security information about your company’s financial possession.
- You can rest assured that we will never, ever ask for any of the above-mentioned private information.
- We will not contact you over the phone to request access to your computer via TeamViewer, any desk, etc. in order to disclose sensitive information.
- Keep away from any communication with the sender of such messages.
CloudDefense.AI protects cloud infrastructure from external threats and incorrect permissions, protects the supply chain, and provides security teams with quick and thorough insights into application assets and risks. This gives security teams the information they need to manage risks and enable innovation in their organizations.
We use discovery, posture, entitlement engines to protect all branches by which users can find undiscovered web assets. With the help of our builtin DevSecOps platform users are able to discover SBOM in application code and OSS packages, catch & fix Code, OSS, IaC vulnerabilities and misconfigurations early in development lifecycle.
Legal Basis for our processing personal data
Incident and Change Management
Vulnerability Assessment and Penetration Testing
Standards and Certifications
We at CloudDefense.AI are devoted to protecting our customers’ data and privacy.
We use cutting-edge technology to secure our systems at multiple stages. Our data and privacy security design protects against low-hanging fruit and complex threats. We encourage security enthusiasts and researchers to responsibly report CloudDefense.AI security vulnerabilities.
Send email@example.com a bug report with steps to reproduce the issue. Please wait while we investigate and resolve the legitimate issues.
Out of scope tests
-Vulnerability scanners and another automated tools reports
– Disclosure of non sensitive information, such as product version
– Disclosure of public user information, such as nick name / screen name
– Reports based on product/protocol version without demonstration of real vulnerability presence
– Reports of missed protection mechanism / best current practice (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system
– Reports regarding published and non-published SPF and DMARC policies
– Logout CSRF
– Vulnerabilities of partner products or services if Clouddefense.ai users / accounts are not directly affected
– Missed SSL or another BCP for products beyond the main scope
– Security of rooted, jailbreaked or otherwise modified devices and applications
– Ability to reverse-engineer an application, lack of binary protection
– Open redirections are only accepted if security impact, e.g. ability to steal authentication token is identified.
– Plain text, sound, image, video injection into server’s reply outside of UI (e.g. in JSON data or error message) if it doesn’t lead to UI spoofing, UI behavior modification or another negative impact.
– Same site scripting, reflected download and similar attacks with questionable impact
– CSP related reports for domains without CSP and domain policies with unsafe eval and/or unsafe inline
– IDN homograph attacks
– XSPA (IP/port scanning to external networks)
– Excel CSV formula injection, scripting within PDF documents
– Attack which require full access to local account or browser profile
– Attacks with scenarios where vulnerability in a 3rd party site or application is required as a prerequisite and is not demonstrated
– Theoretical attacks without proof of exploitability
– Denial of Service vulnerabilities
– Ability to send large amount of messages
– Ability to send spam or malware file
– Information disclosure via external references outside of Clouddefense.ai control (e.g. search dorks to private robots.txt protected areas)
– Disclosure of unused or properly restricted JS API keys (e.g. API key for external map service)
– Ability to perform an action unavailable via user interface without identified security risks