Reporting a Security Issue or Vulnerability
We welcome reports of vulnerabilities or security issues from external researchers, complimenting our own policy and processes.
We operate our own vulnerability scanning and management service which we use to evaluate the severity of specific vulnerabilities and their risk to ours and our client’s data. We take security incredibly seriously and we work hard to keep everything patched and secure – including the use of automated patching and security hardening services.
Reporting a threat to us
We value every report that we receive, no matter how big or small. Our infrastructure is public-facing and that means that naturally we will become subject to more cyber-attacks, as with any cloud provider.
If you wish to report a vulnerability to us, we request that you send this to firstname.lastname@example.org for the team to review. We will typically respond within 24 hours acknowleding your report and resolving the issues.
What to send us
When sending us details of a vulnerability or threat, we ask that you kindly include the following information in your report:
- The host(s) that you found to be vulnerable
- Any associated documentation or CVEs
- Steps you took to reproduce this vulnerability
- As much detail as possible regarding the vulnerability
We understand that by reporting threats to other organisations, you’re helping to make the internet safer. As such, we may offer you one of the following acknowledements of your report:
- A signed letter or email of recognition
- Your details published on our website
- A monetary gift
Please note that any acknowledgements are at the discretion of the Directors and will depend on the type of threat that you report. We cannot guarantee that all reports will receive a formal acknowledgement, and we kindly request that you don’t ask for one. Where deserved, a formal acknowledgement will be gifted in one of the above forms. We will also only provide formal acknowledgement for live threats or vulnerabilities – if you have discovered a vulnerability that had existed on one of our hosts but has since been resolved, please do not report this in retrospect.