Bug Bounty Program

We are dedicated to ensuring that Spectro Cloud Palette remains a secure and reliable platform for enterprise Kubernetes. While our development and operational processes align with  industry-leading security standards, we recognize that no software is entirely free from vulnerabilities. As such, we invite  security researchers around the world to participate in  our Bug Bounty Program (the “Program”) to help identify and remediate potential security issues.

The following guidelines outline program scope, exclusions, instructions for reporting vulnerabilities, and other essential details. If you believe you have discovered a security vulnerability affecting Spectro Cloud operations, please report it to us at bugbounty@spectrocloud.com so we can investigate and address it promptly.

Program Scope

Exclusions (out of scope)

Bounty Tiers

Researchers based in India will be compensated in INR, while researchers located outside India will be compensated in USD as shown in the table above.

Note: Any valid submission that does not fall under the above severity categories will be classified as informational. Informational submissions are not eligible for monetary rewards; however, we will acknowledge the researcher's efforts by publicly listing their profile on the Specto Cloud website.

Payout Guidelines

• Each unique vulnerability is eligible for a single payout.
• Non-US researchers receiving payouts in USD (excluding researchers based in India) must complete the W-8BEN form and submit it to our team prior to payment processing. For more information, please refer to the W-8BEN Form Instructions.
  
• Payouts will be issued after successful bug remediation.
• Researchers must claim their payouts within 6 months from the notification date; unclaimed rewards will expire.
• Researchers are responsible for complying with applicable local tax obligations.

Responsible Research and Disclosure Policy

To participate, researchers must:

• Conduct testing responsibly, avoiding data loss, service interruption, privacy breaches, or unauthorized access.
• Interact only with accounts you own or have explicit permission to use, and never access, modify, or delete user data without explicit authorization.
  
• Avoid exploiting vulnerabilities beyond the minimum required to demonstrate existence.
• Avoid actions that degrade or interfere with the performance of our services (e.g., denial-of-service attacks).
•  Use professional language for attack payload data (e.g.,: use "this has been tested" rather than "this has been hacked.")
• Allow Spectro Cloud reasonable time to resolve identified vulnerabilities before any public or third-party disclosure.

Conditions for Closing Reports without monetary reward

Submission Guidelines and Review Process

How to Submit a Bug Report:

Prepare your report including the following mandatory sections, ensuring that all required details are clearly provided in each:

• Title (use it in email subject)
• Description of the issue
  
• Steps to Reproduce (Include screenshots, code, or payloads if applicable)
• Proof of concept (Include screenshots, video, or a script demonstrating the exploit)
• Suggested remediation

Send the completed report to bugbounty@spectrocloud.com.

Note: If any of your submitted reports are deemed valid (including informational reports), you will be recognized on our Whitehat Honor Board. Additionally, you will receive an invitation to a private reporting portal, where you can submit future reports, manage all submissions, and track their status. By this way, we will filter researchers and give priority to review their reports. This approach helps us identify and prioritize dedicated researchers, ensuring faster review and response times for their future submissions.

Review Process

• Acknowledgment: Within 3 business days of submission.
• Initial assessment: Severity evaluation and next steps communicated within 5 business days.
  
• Final severity rating: Determined exclusively by Spectro Cloud according to internal assessment criteria.

Additional terms and conditions

By participating in the Bug Bounty Program, you agree to comply with the Spectro Cloud Terms of Service and Privacy Policy (together with these terms and conditions, the “Terms”).

• In the event of disclosure of any Personal Identifiable Information other than your own, you are directed to cease the affecting activity, document steps to replicate, and submit a report as soon as possible.
  
• If you have discovered a vulnerability, do not disclose details of your findings publicly or to a third-party, as doing so could invalidate your bounty payout.
• Bounty payouts are subject to taxes of your country of residence. You are responsible for any tax implications.
• Information you receive or collect about Spectro Cloud or its affiliates or members through the Program, whether in oral, visual, written or electronic format, may be deemed proprietary and confidential ("Confidential Information"). For purposes of the Program, information and/or material shall be deemed "Confidential Information" if such information and/or material is otherwise not generally available to the public, or given the nature of the information or material, a reasonable person would consider such information and/or material "confidential" or "proprietary."
• Neither your participation in the Program nor anything contained in the Terms shall be construed as creating or implying a joint venture, partnership, agency or employment relationship between you and Spectro Cloud or its affiliates.
• Confidential Information must be kept confidential and only used in connection with the Program. You may not use, disclose or distribute any such confidential information without Spectro Cloud’s prior written consent.
• You agree to defend, indemnify and hold harmless Spectro Cloud and its affiliates and the officers, directors, agents, employees and vendors of Spectro Cloud and its affiliates from any claim or demand (including attorneys' fees) made or incurred by any third party due to or arising out of your participation in the Program, your breach of the Terms, or your improper use of the Program.
• Offer and the Program are subject to change without notice. Other restrictions may apply.
• You may submit reports from any country, but Spectro Cloud can process payments only to accounts located in countries supported by the RAMP payment platform. Please check this link for the list of RAMP-supported countries.
• In no event, will Spectro Cloud make payments to a country or individual currently under sanction or other restriction as determined by the United States Department of the Treasury, Office of Foreign Assets Controls (“OFAC”). Additionally, regardless of anything in the Terms to the contrary, Spectro Cloud may, at its sole discretion and at any time, with or without notice, change the countries or individuals that are eligible for payments under the Program. 
• The Program, including all its policies, is subject to change or cancellation by Spectro Cloud at any time and without notice. As such, Spectro Cloud may amend the Terms at any time by posting a revised version on our website. By continuing to participate in the Program after any such changes, you accept the Terms, as modified.