Cloudways is a managed web hosting platform that specializes in providing an easy-to-manage environment for web applications.
The idea behind offering bounty for bugs is to tap into the expertise of the InfoSec community and discover the gaps in the Cloudways Platform’s security. The emphasis is on offering a secure user experience to our customers and to ensure that the Cloudways Platform remains the most secure managed hosting option for our users.
At its core, this program adheres to the standard BugCrowd Vulnerability Taxonomy Rating (VRT), and initial bug priorities (and thus, the rewards) will be decided on the basis of VRT. However, in some cases the Bug priority can be revised (with consequent impact on the rewards) because of the likelihood of occurrence and impact on the below-mentioned Cloudways Targets. We reserve the right to change the priority and associated rewards of a vulnerability after assessing its impact.
Vulnerabilities that lie in “Non-Rewarded” section will only be rewarded Kudos points. These vulnerabilities are listed in the section below.
Please be aware that Cloudways may take up to three weeks to accept any given submission and allocate the reward. No rewards should take longer than three weeks to process.
Last updated 19 Apr 2019 13:49:55 UTC
Technical severity | Reward range
p1 Critical | $600 - $1,500
p2 Severe | $300 - $600
p3 Moderate | $100 - $300
p4 Low | $50 - $100
P5 submissions do not receive any rewards for this program.
Target name | Type
platform.cloudways.com | Website
api.cloudways.com | API
developers.cloudways.com | API
Any Cloudways domain/subdomain/property not listed in this Targets section is out of the scope of this program.
The Cloudways Bug Bounty Program focuses on the following three areas:
Cloudways Platform is the primary target for this program.
Cloudways Platform is the main interaction point for Cloudways customers. Through the Platform, customers could launch managed cloud servers and then set up their application on these servers. Once the application is up, Cloudways Platform provides users with options to manage their servers and applications.
The Cloudways Platform should be tested from the user’s perspective. In addition to the standard VRT vulnerabilities, we invite you to test the Platform as per the "Focus Areas" section below.
Cloudways API offers an alternative to the Cloudways Platform. Many, but not all actions that Cloudways Platform allows through the UI can also be performed through Cloudways API.
In the event where a vulnerability is applicable to both the Platform & API, it will be treated as one reported incident.
For API Docs, refer to the link: https://developers.cloudways.com/docs/
Cloudways Developers authorizes the API key to use Cloudways API. The vulnerability testing of this target should focus on the process of API authorization ONLY. All other areas on Cloudways developers are strictly OUT OF SCOPE.
The following are the requirements for setting up your Cloudways platform test account:
While testing Cloudways targets from a user’s perspective, your efforts should be directed towards the following areas:
Cloudways Platform and API to manage customer servers, which may include:
Please note that if you find any exploits, please BE CAREFUL when testing and inform Cloudways prior to any invasive or impactful testing.
at any time. In all cases, you should report the discovered vulnerabilities through the appropriate channels.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.