Bug Bounty

Discover our Public Cloud offer

Shared Hosting for Everyone, imagined by developers, for developers.

Discovering the Public Cloud

Presentation and rules of the programm

The research scope only include following addresses:

- https://www.alwaysdata.com
- https://admin.alwaysdata.com
- https://webmail.alwaysdata.com
- https://api.alwaysdata.com
- ssh://ssh-[accountid].alwaysdata.net
- https://webdav-[accountid].alwaysdata.net
- ftp://ftp-[accountid].alwaysdata.net

Any type of denial of service (DDoS) attacks is strictly prohibited, as well as any interference with network equipment and alwaysdata infrastructure.

Invalid reports

The following list includes vulnerability reports not accepted by our services and the reason:

  • the name of the accounts is accessible in many different ways;
  • addresses in .alwaysdata.net are linked to our customers' accounts. Their flaws are beyond our control;
  • The /tmp directory is a shared directory;
  • “https://files.alwaysdata.com” features public files;
  • the password reset link expires after 3 days or upon the next login to the administration interface;
  • a user may reuse an old password. This is not a NIST-listed best practice;
  • verification of the email at registration is only a practice, not a flaw. We believe that requesting this verification would not limit the number of fraudulent accounts;
  • HTML and XSS injections in the administration interface would only target the attacker and therefore cannot be flaws;
  • we do not use CDN, and our IPs are public;
  • the version number of the software we use cannot be critical.

The following reports are also rejected:

  • if the attacker is the victim;
  • if the attacker takes control of the victim’s interface because the victim left their version open.