Bug bounty program
We're committed to making Spectro Cloud Palette a safe and secure environment for enterprise Kubernetes, and we follow best practices to secure our development and operations. But we know that no software is perfect, and we welcome the help of the security community to identify potential vulnerabilities in our products and systems through our bug bounty program.
The following description outlines eligibility and scope, how to report vulnerabilities, and other important terms. If you believe you've found a vulnerability, we encourage you to notify us so we can fix the issue quickly.
What we expect from you
- Let us know as soon as possible when you discover a potential security issue. To submit a bounty, please summarize your findings in an email to email@example.com. Follow industry standard disclosure guidelines.
- We'll investigate and compensate you based on the severity of the vulnerability you've discovered.
- Give us a reasonable amount of time to resolve the issue before you make any disclosure to the public or a third-party.
- In your work, please make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. Do not access, modify or delete user data without permission of the account owner.
- Do not exploit financial vulnerabilities beyond what is required to prove its existence.
- Act in good faith not to degrade the performance of our services (including denial of service).
What's in scope?
spectrocloud.com, kairos.io, code on https://github.com/spectrocloud, and the Spectro Cloud Palette product, including our PXK Kubernetes distributions.
What's out of scope?
Our bug bounty program doesn't cover:
- Email security: missing or incomplete SPF/DKIM/DMARC records, etc.
- DoS attacks
- Clickjacking and Cross-Site Request Forgery (CSRF), Self Cross Scripting (Self-XSS)
- Previously known vulnerable libraries without a working PoC
- Missing best practices in SSL/TLS configuration
- Missing cookie flags (HttpOnly or Secure)
- Issues requiring non-standard hardware or modified platforms (e.g: jailbroken)
- Vulnerabilities affecting older/unpatched browsers
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
- Issues related to software outside Spectro Cloud platform and control
- Reports from automated tools or scans (without validation of vulnerability)