Details

Responsible Disclosure Policy

The information on this page is intended for security researchers interested in reporting security vulnerabilities to the ChinaNetCloud security team.

If you believe you've discovered a security vulnerability on a ChinaNetCloud system or application, we strongly encourage you to inform us as quickly as possible and to not disclose the vulnerability publicly until it is fixed. We appreciate your assistance, and we review all reports and will do our best to address the issue in a timely fashion. To encourage responsible disclosure, ChinaNetCloud will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that a disclosure meets the following guidelines.

Responsible Disclosure Guidelines

Notify ChinaNetCloud and provide us details of the vulnerability. Please provide us a reasonable time period to address the issue before public disclosure.
Provide an appropriate level of detail on the vulnerability to allow us to identify and reproduce the issue. Detail should include target URLs, request/response pairs, screenshots, and/or other information. We will confirm your email and evaluate the validity and reproducibility of the issue. For valid issues, we will work to fix the issue and keep you appraised of progress.
Make a reasonable effort to avoid service disruption (e.g. DoS), privacy issues (i.e. accessing a ChinaNetCloud customer’s data, or our customers' users' data), and data destruction when performing vulnerability research.
Do not request compensation for security vulnerability reports either from ChinaNetCloud or external vulnerability marketplaces.
Do not phish or social engineer employees or customers of ChinaNetCloud (this will change later).
Do not run automated scanning tools and send us the output without confirming the issue is present. Security tools often output false positives that should be confirmed by the reporter.

Vulnerability Categories We Encourage

We are primarily interested in hearing about the following vulnerability categories:

Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
SQL Injection (SQLi)
Authentication related issues
Authorization related issues
Data Exposure
Redirection Attacks
Remote Code Execution
Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

If you have any doubt please write us: [email protected]

Vulnerability Categories Ineligible for a bounty, but appreciated

Recently disclosed 0 day vulnerabilities
Use of a known-vulnerable library
XSS attacks via POST or headers
Information disclosure
Software version disclosure
Open redirects
Any low severity issue (not listed on "We Encourage" section)

Out of Scope Vulnerability Categories

The following vulnerability categories are considered out of scope of our responsible disclosure program and will not be eligible for credit on our researcher list.

DNS record related vulnerabilities (SPF, DKIM, DMARC)
Email spoofing, we're aware of this and for now it is "won't fix" issue
SSL vulnerabilities related to configuration or version
Denial of Service (DoS)
User enumeration
Brute forcing
Secure flag not set on non-sensitive cookies
HTTPOnly flag not set on non-sensitive cookies
Logout Cross Site Request Forgery (CSRF)
HTTP TRACE method enabled
Clickjacking on pages without authentication and/or sensitive state changes
Vulnerabilities that require physical access to Victim's computers

Thank you for helping keep ChinaNetCloud and our customers safe.

Responsible Disclosure Policy

The information on this page is intended for security researchers interested in reporting security vulnerabilities to the ChinaNetCloud security team.

Responsible Disclosure Guidelines

Notify ChinaNetCloud and provide us details of the vulnerability. Please provide us a reasonable time period to address the issue before public disclosure.

Provide an appropriate level of detail on the vulnerability to allow us to identify and reproduce the issue. Detail should include target URLs, request/response pairs, screenshots, and/or other information. We will confirm your email and evaluate the validity and reproducibility of the issue. For valid issues, we will work to fix the issue and keep you appraised of progress.

Make a reasonable effort to avoid service disruption (e.g. DoS), privacy issues (i.e. accessing a ChinaNetCloud customer’s data, or our customers' users' data), and data destruction when performing vulnerability research.

Do not request compensation for security vulnerability reports either from ChinaNetCloud or external vulnerability marketplaces.

Do not phish or social engineer employees or customers of ChinaNetCloud (this will change later).

Do not run automated scanning tools and send us the output without confirming the issue is present. Security tools often output false positives that should be confirmed by the reporter.

Vulnerability Categories We Encourage

We are primarily interested in hearing about the following vulnerability categories:

Cross Site Scripting (XSS)

Cross Site Request Forgery (CSRF)

SQL Injection (SQLi)

Authentication related issues

Authorization related issues

Data Exposure

Redirection Attacks

Remote Code Execution

Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

If you have any doubt please write us: [email protected]

Out of Scope Vulnerability Categories

The following vulnerability categories are considered out of scope of our responsible disclosure program and will not be eligible for credit on our researcher list.

DNS record related vulnerabilities (SPF, DKIM, DMARC)

Email spoofing, we're aware of this and for now it is "won't fix" issue

SSL vulnerabilities related to configuration or version

Denial of Service (DoS)

User enumeration

Brute forcing

Secure flag not set on non-sensitive cookies

HTTPOnly flag not set on non-sensitive cookies

Logout Cross Site Request Forgery (CSRF)

HTTP TRACE method enabled

Clickjacking on pages without authentication and/or sensitive state changes

Vulnerabilities that require physical access to Victim's computers

Thank you for helping keep ChinaNetCloud and our customers safe.