Responsible Disclosure

Version: 1.0  ·  Effective date: May 2026  ·  Owner: Cloudryption Security & Privacy

1. Policy purpose

Cloudryption welcomes good-faith security research that helps improve the security of the website, platform, APIs, and customer trust posture.

This policy describes permitted testing scope, researcher rules, safe harbour protections, and the response process. By participating in good-faith security research under this policy, researchers help protect Cloudryption's customers and the broader community.

2. Scope

In scope:

• cloudryption.com and app.cloudryption.com
• API endpoints owned and operated by Cloudryption
• Authentication and session management flows
• Authorisation and tenant isolation mechanisms
• Report, export, and evidence access controls
• Security-relevant misconfiguration in Cloudryption-controlled infrastructure

Out of scope (unless explicitly authorised in writing):

• Customer tenants or customer cloud environments connected to Cloudryption
• Third-party services and infrastructure not operated by Cloudryption
• Social engineering, phishing, or physical attacks against Cloudryption personnel
• Denial-of-service, brute force, credential stuffing, or spam
• Malware deployment, destructive testing, or actions that modify or destroy data
• Tests that access, exfiltrate, or disclose data belonging to other customers

3. Researcher rules

To qualify for safe harbour protections, researchers must:

• Stop testing immediately if you encounter customer data, plaintext secrets, personal data of third parties, evidence of active compromise, or cause any service disruption
• Not attempt persistence, lateral movement, privilege escalation beyond proof-of-concept, data extraction, or destructive testing
• Not publicly disclose vulnerability details before Cloudryption has had a reasonable opportunity to remediate (at least 90 days, unless mutually agreed otherwise)
• Use only accounts and tenants that you own or are explicitly authorised to test
• Provide clear reproduction steps including affected endpoints, payloads, timestamps, test account identifiers, expected vs. actual behaviour, and recommended remediation where possible

4. Safe harbour

Cloudryption will not pursue legal action against researchers who:

• Make a good-faith effort to comply with this policy
• Avoid privacy violations, service disruption, and data destruction
• Promptly report vulnerabilities and provide adequate time for remediation before public disclosure
• Act within the permitted scope

Safe harbour does not apply to actions that are unlawful, destructive, extortive, negligent with data, or outside the permitted scope defined in this policy. Safe harbour is provided in good faith and does not constitute a waiver of any rights under applicable law.

5. Response targets

Cloudryption will keep reporters informed of triage status and remediation progress. Where a longer timeline is needed due to complexity or dependency on third parties, Cloudryption will communicate this proactively.

6. No bounty statement

Unless Cloudryption publishes a separate bounty programme with explicit monetary rewards, financial compensation is not guaranteed. Cloudryption may provide public recognition at its discretion where legally and operationally appropriate and where the researcher consents.

7. How to report

Send vulnerability reports to: security@cloudryption.com

Use the subject line: Responsible Disclosure — [brief vulnerability description]

Include in your report:

• Vulnerability type and affected component or endpoint
• Step-by-step reproduction instructions
• Your assessment of impact and severity
• Test account identifiers used (for safe harbour validation)
• Screenshots or proof-of-concept where safe to include
• Any recommended remediation or mitigations

Do not include customer data, credentials, or any content that does not belong to you in your report.

8. Severity examples