At Cloudreach, we are committed to the responsible disclosure of vulnerabilities,  allowing all third parties, including; partners, researchers, media outlets, and the general public a suitable, legal method to disclose any known vulnerabilities to us. 

Vulnerabilities within scope include those affecting Cloudreach internal processes, Cloudreach customers and all services and products supplied to the public by Cloudreach. Acceptable testing does not include anything that may violate laws, cause a data breach, loss of service, incur harm to Cloudreach, or any associated individual. 

How to report a vulnerability

Vulnerabilities can be reported to security [@] cloudreach.com. We request that you do not publicly disclose vulnerabilities for the duration of our investigation. 

When submitting a vulnerability report, include all relevant details of the vulnerability or vulnerabilities discovered, to ensure that we are able to validate and reproduce the issue. Once the report has been submitted, we will acknowledge receipt within 5 working days. 

Thereafter, any vulnerabilities will be investigated in order  to understand the scope and cause of the issue. Once verified, we will attempt to make contact with the affected owner, who will ultimately hold responsibility for mitigation actions, which we will aim to resolve within 90 days from the time of the initial report.  

Additional information

We treat all personal data in line with GDPR legislation. Please refer to our Privacy Notice should you wish to understand how we collect, store and use any personal data you provide to us. If preferable, vulnerability reports can be submitted on an anonymous basis, you can also ask for your personal data not to be kept. 

Once mitigated, Cloudreach will reserve the right in some cases, to publicly announce the vulnerability in the release notes of the update, as well as any additional public announcements deemed relevant or necessary (for example, via our blog, media or social media). Release notes and any related public announcements may include a named reference to the individuals or group who reported the vulnerability. If you would prefer this information to be omitted, this must be stated at the time of submitting the vulnerability. 

Last updated July 2023