We’re committed to making Spectro Cloud Palette a safe and secure environment for enterprise Kubernetes, and we follow best practices to secure our development and operations. But we know that no software is perfect, and we welcome the help of the security community to identify potential vulnerabilities in our products and systems through our bug bounty program (the “Program”).
The following description outlines eligibility and scope, how to report vulnerabilities, and other important terms. If you believe you've found a vulnerability, we encourage you to notify us so we can fix the issue quickly.
What we expect from you
- Let us know as soon as possible when you discover a potential security issue. To submit a bounty, please summarize your findings in an email to bug-bounty@spectrocloud.com. Follow industry standard disclosure guidelines.
- When reporting bugs, please remember to include the following details:
* Findings name:
* Severity
* URL
* Domain
* Vulnerable component parameters:
* Steps to reproduce the findings:
* Screenshot or video to demonstrate the vulnerability
- We’ll investigate and compensate you based on the severity of the vulnerability you’ve discovered. Details of bounty payments in USD for the relevant severities are provided below:
* P1 - $500
* P2 - $250
* P3 - $100
* P4 - $75
* P5 - $50
- For any payments in India, payment will be made in Rupees with any applicable deductions and/or withholdings according to the following severities:
P1 - 40,000
P2 - 20,000
P3 - 8,000
P4 - 6,000
P5 - 4,000
- Spectro Cloud must be provided a reasonable time to resolve the issue before any disclosure to the public or a third-party. We’ll investigate to confirm the receipt of your report within 3 business days and share the details of the severity. You can expect a reply within 5 business days.
- All severities are assigned according to Spectro Cloud’s internal policy
- Only one payment will be made for each unique submission.
- Apply due diligence to your work to prevent data loss, privacy violations, service interruptions, and other issues or disruptions. Interact only with accounts you own or with the explicit permission of the account holder. You may not access, modify or delete user data without the explicit authorization of the account owner.
- You may not exploit financial vulnerabilities beyond what is necessary to demonstrate their existence.
- You may not degrade or otherwise interfere with the performance of our services (including denial of service).
What’s in scope?
spectrocloud.com, kairos.io, code on https://github.com/spectrocloud, and the Spectro Cloud Palette product, including our PXK Kubernetes distributions.
What’s out of scope?
Our bug bounty program doesn’t cover:
- Email security: missing or incomplete SPF/DKIM/DMARC records, etc.
- DoS attacks
- Spamming, Email bombing/Flooding/rate limiting
- Clickjacking and missing CSRF
- Social engineering or phishing of Spectro Cloud employees, contractors
- Physical security attacks
- Previously known vulnerable libraries without a working PoC
- Missing best practices in SSL/TLS configuration
- Missing cookie flags (HttpOnly or Secure) or issues related to HTTP headers
- EXIF and Geolocation related vulnerabilities
- Issues requiring non-standard hardware or modified platforms (e.g: jailbroken)
- Vulnerabilities affecting older/unpatched browsers
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
- Issues related to software outside Spectro Cloud platform and control
- Reports from automated scans or POCs generated using cracked/pirated software
- Reporting vulnerabilities without any POCs
- WAF bypass for non production environments
- Mapbox API & Algolia Token leakage