We’re committed to making Spectro Cloud Palette a safe and secure environment for enterprise Kubernetes, and we follow best practices to secure our development and operations. But we know that no software is perfect, and we welcome the help of the security community to identify potential vulnerabilities in our products and systems through our bug bounty program.
The following description outlines eligibility and scope, how to report vulnerabilities, and other important terms. If you believe you've found a vulnerability, we encourage you to notify us so we can fix the issue quickly.
What we expect from you
- Let us know as soon as possible when you discover a potential security issue. To submit a bounty, please summarize your findings in an email to bug-bounty@spectrocloud.com. Follow industry standard disclosure guidelines.
- When reporting bugs, please remember to include the following details:
* Findings name:
* Severity
* URL
* Domain
* Vulnerable component parameters:
* Steps to reproduce the findings:
* Screenshot or video to demonstrate the vulnerability
- We’ll investigate and compensate you based on the severity of the vulnerability you’ve discovered. Details of bounty payments in USD for the relevant severities are provided below:
* P1 - $500
* P2 - $250
* P3 - $100
* P4 - $75
* P5 - $50
- For researchers from India, details of bounty payments in INR for the relevant severities are provided below:
* P1 - 40000 INR
* P2 - 20000 INR
* P3 - 8000 INR
* P4 - 6000 INR
* P5 - 4000 INR
Payments to researchers from India, will be paid from the India office with deductions of the applicable withholding taxes if any.
- Payments are processed every other Thursday and the country you’re based in impacts the time it takes to receive the amount
- Give us a reasonable amount of time to resolve the issue before you make any disclosure to the public or a third-party. We’ll investigate to confirm the receipt of your report within 24 hours and share the details of the severity. You can expect a reply within 48 working days.
- All the severities are assigned according to the internal policy
- We accept team submissions for P1 and P2 severity only.
- Apply due diligence to your work to prevent data loss, privacy violations, service interruptions, and other problems. Interact only with accounts you own or with the explicit permission of the account holder. Don't access, modify or delete user data without the permission of the account owner.
- Don’t exploit financial vulnerabilities beyond what is necessary to demonstrate their existence.
- Act in good faith not to degrade the performance of our services (including denial of service).
- Currently we do not allow disclosure of vulnerabilities reported.
What’s in scope?
spectrocloud.com, kairos.io, code on https://github.com/spectrocloud, and the Spectro Cloud Palette product, including our PXK Kubernetes distributions.
What’s out of scope?
Our bug bounty program doesn’t cover:
- Email security: missing or incomplete SPF/DKIM/DMARC records, etc.
- DoS attacks
- Spamming,Email bombing/Flooding/rate limiting
- Clickjacking and missing CSRF
- Social engineering or phishing of Spectro Cloud employees, contractors
- Physical security attacks
- Previously known vulnerable libraries without a working PoC
- Missing best practices in SSL/TLS configuration
- Missing cookie flags (HttpOnly or Secure) or issues related to HTTP headers
- EXIF and Geolocation related vulnerabilities
- Issues requiring non-standard hardware or modified platforms (e.g: jailbroken)
- Vulnerabilities affecting older/unpatched browsers
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
- Issues related to software outside Spectro Cloud platform and control
- Reports from automated scans or POCs generated using cracked/pirated software
- Reporting vulnerabilities without any POCs
- WAF bypass for non production environments
- Mapbox API & Algolia Token leakage