Details

Cloud Software Group Bug Bounty Program Policy

Cloud Software Group looks forward to working with the security community to find security vulnerabilities to keep our businesses and customers safe.

Your participation in the Bug Bounty Program ("Program") is voluntary and subject to the terms and conditions set forth in this Cloud Software Group Bug Bounty Program Policy (the "Policy"), and any other agreement in which you have entered with Cloud Software Group in connection with the Program (collectively "Cloud Software Group Agreements"). By submitting a vulnerability to Cloud Software Group, you acknowledge that you have read and agreed to this Policy and the Cloud Software Group Agreements.

Cloud Software Group maintains the right to terminate this Bug Bounty Program ("Program") at any time with or without notice. Cloud Software Group may amend this Policy at any time by posting a revised version on our BugBase policy page. By continuing to participate in the Program after any such changes, you accept the Policy's terms and conditions, as modified.

Cloud Software Group may, in its sole discretion, remove you from the Program, or disqualify you from receiving any benefit of the Program, if you breach this Policy or any of the Program's terms, or if Cloud Software Group determines that your participation in the Program could adversely affect Cloud Software Group, our affiliates, subsidiaries, customers, employees or agents.

Disclosure Policy

Although this is a public program, you are not permitted to discuss or publish anything about any vulnerabilities (even resolved ones) without express written consent from Cloud Software Group.
In the event of any inconsistency between this Policy and BugBase's disclosure guidelines, this Policy will govern and control.
If you prefer not to be part of the Cloud Software Group Bug Bounty Program, you may submit issues via Cloud Software Group's coordinated disclosure program. However, please note that reports submitted via our coordinated disclosure program do not qualify for a bounty.

Program Rules

Follow BugBase's code of conduct.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
If you find a vulnerability which is out of scope for this Program, please report it, but note it may not be eligible for a bounty.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that the steps in the report can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Subdomain takeovers other than those reported for *.cloud.com and *.citrixworkspacesapi.net will be treated as out of scope for this engagement.
Social engineering techniques (e.g., phishing, vishing, smishing) are prohibited.
Leaking of credentials may not be eligible for bounty. They will be evaluated on a case-by-case basis depending on impact.
You are prohibited from engaging in any privacy violations, trading stolen user credentials, destroying data, or interrupting or degrading our service (including without limitation, spam, DoS attacks or DDoS attacks).
Only interact with accounts you own or with explicit permission of the account holder.
You are prohibited from engaging in any activity that results in you, or any third party, accessing, acquiring, altering, copying, storing, saving, sharing, transferring, deleting, destroying, or otherwise processing user data. Contact us immediately if you do inadvertently encounter user data, and immediately and securely purge any local information upon reporting the vulnerability to Cloud Software Group.

Eligibility

To be eligible for the Bug Bounty Program, you must not:

Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan, and Syria).
Be in violation of any national, state, or local law or regulation.
Be a current employee of Cloud Software Group or its affiliates or subsidiaries, or an employee who has left Cloud Software Group, or its affiliates or subsidiaries within the past 12 months.
Be an immediate family member of a person employed by Cloud Software Group or its subsidiaries or affiliates.
Be less than 13 years of age. If you are between the ages of 13 - 17 years old but are considered a minor in your place of residence, you must get your parent's or legal guardian's permission prior to participating in the program.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Subdomain takeovers other than those found on *.cloud.com and *.citrixworkspacesapi.net
Vulnerabilities found on subdomains of cloud.com which are not explicitly listed in scope
Clickjacking and issues only exploitable through clickjacking
Descriptive error messages (e.g., Stack Traces, application, or server errors) without proof of vulnerability or risk
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Fingerprinting/banner disclosure on common/public services
Disclosure of known public files or directories, e.g., robots.txt
Scripting or other automation and brute forcing of intended functionality
Presence of application or web browser 'autocomplete' or 'save password' functionality
Lack of Secure and HTTPOnly cookie flags
Content spoofing (text injection) or IDN homograph attacks or reflected file download attacks
Tabnabbing
Email configuration issues (SPF, DKIM, DMARC)
Weak captcha or captcha bypass
Forced login/logout CSRF
Account lockout, login, or forgot password page brute force
Password complexity or account recovery policies
HTTPS Mixed Content
Missing HTTP security headers
Known SSL issues
SSL Forward Secrecy or HSTS not enabled
Weak SSL/TLS cipher suites
Issues related to networking protocols or industry standards not controlled by Cloud Software Group
Sending vulnerability reports using automated tools without validation
Use of a known-vulnerable library without evidence of exploitability
Problems related to widely publicized CVEs
Attacks requiring physical access to a user's unlocked device
Reports of spam, phishing, or security best practices
Username/email enumeration
Bugs in content/services that are not owned/operated by Cloud Software Group
Vulnerabilities affecting users of outdated or unsupported browsers or platforms
Any activity that could lead to the disruption of our service (DoS)
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Content spoofing and HTML injection issues without showing an attack vector/without being able to execute JavaScript
HTTP OPTIONS/TRACE/PUT methods enabled
Disclosure of private IP addresses in HTTP responses
3rd party feature abuse (data: URL schema)
Partner sites/services

In Scope Assets

Citrix

Asset	Type	Last Update
https://citrix.cloud.com	Web	Jan 9, 2025
http://citrixworkspaceapi.net	API	Jan 4, 2025

Cloud Software Group

Asset	Type	Last Update
https://eu.cloud.com	Web	Dec 8, 2024
https://us.cloud.com	Web	Jul 4, 2024
https://onboarding.cloud.com	Web	Jul 4, 2024
https://accounts.cloud.com	Web	Dec 19, 2024
https://accounts-internal.cloud.com	Web	Jul 4, 2024

Bounty Rewards

Severity	Reward
Critical	$10,000
High	$4,000
Medium	$500
Low	$100

Access to Assets

To participate in the program and access the assets, you must request whitelisting, as it is a prerequisite for platform access. Please head over to the CREDENTIALS & VPN tab and request for whitelist.

Cloud Software Group Bug Bounty Program Policy

Cloud Software Group looks forward to working with the security community to find security vulnerabilities to keep our businesses and customers safe.

Disclosure Policy

Although this is a public program, you are not permitted to discuss or publish anything about any vulnerabilities (even resolved ones) without express written consent from Cloud Software Group.

In the event of any inconsistency between this Policy and BugBase's disclosure guidelines, this Policy will govern and control.

If you prefer not to be part of the Cloud Software Group Bug Bounty Program, you may submit issues via Cloud Software Group's coordinated disclosure program. However, please note that reports submitted via our coordinated disclosure program do not qualify for a bounty.

Program Rules

Follow BugBase's code of conduct.

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

If you find a vulnerability which is out of scope for this Program, please report it, but note it may not be eligible for a bounty.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that the steps in the report can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Subdomain takeovers other than those reported for *.cloud.com and *.citrixworkspacesapi.net will be treated as out of scope for this engagement.

Social engineering techniques (e.g., phishing, vishing, smishing) are prohibited.

Leaking of credentials may not be eligible for bounty. They will be evaluated on a case-by-case basis depending on impact.

You are prohibited from engaging in any privacy violations, trading stolen user credentials, destroying data, or interrupting or degrading our service (including without limitation, spam, DoS attacks or DDoS attacks).

Only interact with accounts you own or with explicit permission of the account holder.

You are prohibited from engaging in any activity that results in you, or any third party, accessing, acquiring, altering, copying, storing, saving, sharing, transferring, deleting, destroying, or otherwise processing user data. Contact us immediately if you do inadvertently encounter user data, and immediately and securely purge any local information upon reporting the vulnerability to Cloud Software Group.

Eligibility

To be eligible for the Bug Bounty Program, you must not:

Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan, and Syria).

Be in violation of any national, state, or local law or regulation.

Be a current employee of Cloud Software Group or its affiliates or subsidiaries, or an employee who has left Cloud Software Group, or its affiliates or subsidiaries within the past 12 months.

Be an immediate family member of a person employed by Cloud Software Group or its subsidiaries or affiliates.

Be less than 13 years of age. If you are between the ages of 13 - 17 years old but are considered a minor in your place of residence, you must get your parent's or legal guardian's permission prior to participating in the program.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Subdomain takeovers other than those found on *.cloud.com and *.citrixworkspacesapi.net

Vulnerabilities found on subdomains of cloud.com which are not explicitly listed in scope

Clickjacking and issues only exploitable through clickjacking

Descriptive error messages (e.g., Stack Traces, application, or server errors) without proof of vulnerability or risk

HTTP 404 codes/pages or other HTTP non-200 codes/pages

Fingerprinting/banner disclosure on common/public services

Disclosure of known public files or directories, e.g., robots.txt

Scripting or other automation and brute forcing of intended functionality

Presence of application or web browser 'autocomplete' or 'save password' functionality

Lack of Secure and HTTPOnly cookie flags

Content spoofing (text injection) or IDN homograph attacks or reflected file download attacks

Tabnabbing

Email configuration issues (SPF, DKIM, DMARC)

Weak captcha or captcha bypass

Forced login/logout CSRF

Account lockout, login, or forgot password page brute force

Password complexity or account recovery policies

HTTPS Mixed Content

Missing HTTP security headers

Known SSL issues

SSL Forward Secrecy or HSTS not enabled

Weak SSL/TLS cipher suites

Issues related to networking protocols or industry standards not controlled by Cloud Software Group

Sending vulnerability reports using automated tools without validation

Use of a known-vulnerable library without evidence of exploitability

Problems related to widely publicized CVEs

Attacks requiring physical access to a user's unlocked device

Reports of spam, phishing, or security best practices

Username/email enumeration

Bugs in content/services that are not owned/operated by Cloud Software Group

Vulnerabilities affecting users of outdated or unsupported browsers or platforms

Any activity that could lead to the disruption of our service (DoS)

Comma Separated Values (CSV) injection without demonstrating a vulnerability

Content spoofing and HTML injection issues without showing an attack vector/without being able to execute JavaScript

HTTP OPTIONS/TRACE/PUT methods enabled

Disclosure of private IP addresses in HTTP responses

3rd party feature abuse (data: URL schema)

Partner sites/services

Asset

Type

Last Update

https://citrix.cloud.com

Web

Jan 9, 2025

http://citrixworkspaceapi.net

API

Jan 4, 2025

Asset

Type

Last Update

https://eu.cloud.com

Web

Dec 8, 2024

https://us.cloud.com

Web

Jul 4, 2024

https://onboarding.cloud.com

Web

Jul 4, 2024

https://accounts.cloud.com

Web

Dec 19, 2024

https://accounts-internal.cloud.com

Web

Jul 4, 2024

Severity

Reward

Critical

$10,000

High

$4,000

Medium

$500

Low

$100