Reporting Security Issues for ORENCloud Cloud Website and Services

ORENCloud is committed to collaborating with security researchers globally to ensure the utmost security of ORENCloud and its users. If you’ve detected an issue in our platforms or services, kindly inform us.

Reporting a Vulnerability

  • For security issues pertaining to our project, we utilize HackerOne. Should you suspect or identify a vulnerability, kindly report it through our email shown below;
  • By doing this, you help us inspect the vulnerability in detail, rectify it efficiently, and acknowledge your vital contribution.
  • For any queries about this protocol, reach out to [email protected].

Ensure that your report comprehensively details the potential effects of the vulnerability. Refrain from publicly addressing these issues on platforms like GitHub or any social media. We are striving to respond to reports on HackerOne promptly.

Note: For questions regarding this procedure, use the provided email. For vulnerability disclosures, please use HackerOne.

Supported Versions

Version Supported
latest ️✅
<latest

Vulnerabilities We’re Concerned About 😱  

Please avoid testing against ORENCloud’s live services. Instead, reach out to our team to get a development environment which we can provision based on reasonable suspicion of vulnerabilities.

  • Remote command execution
  • SQL Injection
  • Authentication bypass
  • Privilege Escalation
  • Cross-site scripting (XSS)
  • Unauthorized limited admin actions
  • CSRF

Non-Qualifying Vulnerabilities

The following are typically considered outside our scope, albeit there might be exceptions:

  • Absent HTTP security headers
  • Inadequate/Missing SPF/DKIM
  • Automated tool or scanner reports
  • Theoretical attacks lacking demonstrable exploitability
  • Social engineering tactics
  • Reflected file downloads.
  • Physical threats
  • Weak encryption methods for SSL/TLS/SSH
  • Attacks requiring physical device access or involving an already compromised device/network, such as man-in-the-middle attacks.
  • User self-attacks
  • Inadequate/Missing SPF/DKIM
  • Denial of Service (DoS) attacks
  • Brute force attempts
  • DNSSEC

When in doubt regarding the scope, please submit a report.

Triaging Process

The ORENCloud team assesses issues on HackerOne on a weekly basis. We diligently work to respond via HackerOne swiftly, so please avoid public mentions on GitHub, social media, or sending repetitive reports through email.

Post-review, the team will categorize the issue’s urgency and place it in our internal backlog for prompt rectification. Should the team require additional details or disagree on the issue’s severity, they will clarify on HHackerOneuntr prior to finalizing the triage. Post-triage, the team’s response is structured based on the ensuing Severity and Timelines:

Severity Timeline
Critical (P0) ️ 7 Days
High 30 Days
Medium 60 Days
Low 90 Days