Report Bug
Report the bug through the below form.
Receive Reward
Get rewarded by Civo, payment depends on the severity of the bug reported.*
About the bug bounty program
The Bug Bounty Program aims to enhance the security of our cloud hosting services by incentivising security researchers and ethical hackers to report potential security vulnerabilities responsibly. This program encourages the responsible disclosure of such vulnerabilities to help us identify and remediate issues before they can be exploited by malicious actors.
We are interested in vulnerabilities that have a direct impact on our service offerings and customer data. Below is a list of some of the vulnerability classes we are seeking submissions for:
- Remote code execution
- Unauthorised access
- Process and environment breakouts
- Privilege escalation
- Sensitive data exposure
What's in scope?
The Bug Bounty Program covers the following Civo's Public Cloud Services:
- Civo website and dashboard
- API endpoints for provisioning and managing cloud resources (www.civo.com/api).
- api.civo.com
- CLI (www.civo.com/docs/overview/civo-cli)
- IaC (www.civo.com/docs/overview/terraform)
- Kubernetes (www.civo.com/docs/kubernetes)
- Compute (www.civo.com/docs/compute)
- Object Stores (www.civo.com/docs/object-stores)
- Volumes (www.civo.com/docs/compute/instance-volumes)
- Database (www.civo.com/docs/database)
- Networking (www.civo.com/docs/networking)
- Teams (www.civo.com/learn/teams-administration-on-civo)
- Logging
Note: Civo is a cloud service provider who owns a large number of IP ranges. All customer public cloud services are hosted within those ranges and could have assigned a civo.com domain pre-fix i.e. *.k8s.civo.com, *.lb.civo.com. Under no circumstances attack any of those IPs or subdomains. The bug bounty program is limited only to the resources owned by your own account which are unique (IPs and subdomains).
The Bug Bounty Program also covers the following Civo's relaxAI:
- RelaxAI website and dashboard
- API endpoints for using the AI Agent
- dashboard.relax.ai/api/*
- www.relax.ai/docs
What's out of scope?
The following are considered out of scope and are excluded from the bug bounty program:
- Physical attacks against data centers, offices, or employees.
- Social engineering (phishing, vishing, smishing) attacks against employees or customers.
- Any form of denial-of-service (DoS or DDoS) attacks or rate-limiting attempts (network and application layer).
- Brute-force attacks or password guessing.
- Attacks targeting outdated or unsupported browsers, plugins, or devices.
- Web browser functionality controlled by the client (i.e. password autocomplete, etc.).
- Vulnerabilities in third-party applications and services not owned by Civo.
- Outdated components (software and library versions).
- Username and email enumeration.
- Verbose error messages with no secret data.
- Low impact issues related to session management (i.e. concurrent sessions, session invalidation after password reset, expiration etc.).
- Low or no impact issues related to Cross Site Request Forgery (i.e. logout CSRF).
- Missing or misconfigured HTTP security headers.
- Missing non-sensitive cookie flags.
- DNS records (SPF, DKIM, DMARC).
- EXIF data present in images.
- SSL/TLS issues.
- Recently disclosed vulnerabilities.
Submission Process
To submit a vulnerability report, follow these steps:
- Go to civo.com/bug-bounty and fill out the necessary details.
- Provide a detailed description of the vulnerability, including:
- All detailed steps to reproduce the vulnerability
- Any supporting materials (screenshots, videos, scripts, etc.)
- Impact
- Recommendations (not mandatory)
- Allow a reasonable amount of time for the Bug Bounty team to review and validate the submission. We will validate all finding submissions within the timeframes in the table:
Note: The risk severity will be triaged and a different priority might be assigned.
| Severity | Validation Timeframes (working days) |
|---|---|
| Critical | 5 days |
| High | 5 days |
| Medium | 15 days |
| Low | 15 days |
Bug bounty rules, rewards and FAQs
Bug bounty rules
What account should I use for testing purposes?
For testing purposes, please use only your test account(s) registered via https://dashboard.civo.com/signup.
Are there any specific HTTP headers I should include in my requests?
Civo encourages (but does not require) the inclusion of a custom HTTP header in all requests: X-Civo-Bug-Bug-Bounty:
How will duplicate submissions be handled?
Multiple vulnerabilities caused by one underlying issue will be awarded once.
Are there any restrictions on automated scanning and post-exploitation activities?
Yes, please ensure that your automated scanning tools are configured to send requests at a reasonable minimal rate to avoid overwhelming our systems and causing unnecessary disruption. Excessive aggression is not permitted. Additionally, post-exploitation activities are strictly prohibited. If you discover a vulnerability that allows you to access a system or user data, please refrain from further exploitation and submit your finding to the extent necessary to demonstrate the vulnerability.
Can I discuss or disclose vulnerability information?
No, do not discuss or disclose any vulnerability information without Civo's prior written consent. This includes sharing information with third parties or making it publicly available.
Rewards
How are rewards for eligible vulnerability reports determined?
Rewards for eligible vulnerability reports will be determined based on the severity and impact of the reported issue.
What are the severity levels and corresponding rewards?
The severity levels and corresponding rewards are as follows: Critical: Up to $500 High: Up to $200 Medium: Up to $150 Low: Up to $100.
Can the Bug Bounty team adjust the reward amount?
Yes, the Bug Bounty team will evaluate the severity of each submission and may adjust the reward amount based on factors such as the quality of the report and the potential for exploitation.
If you have any concerns, please reach out to Civo via the bug report form for guidance. They are available to help ensure that your research is conducted in a safe and responsible manner.
Bug bounty FAQs
Legal safe harbor
Civo commits to not pursue legal action against researchers who report security vulnerabilities following the guidelines of this Bug Bounty Program. We request that you do not exploit any security issues you discover, beyond the extent required to demonstrate the vulnerability.
Disclosure policy
After receiving and verifying a report, Civo will work to resolve the issue promptly. We aim to keep researchers informed of the progress during the resolution process.
This Bug Bounty Policy is subject to change without notice. Civo reserves the right to modify the scope, rewards, and guidelines at any time.
How to contact Civo regarding the Bug Bounty Program
For any inquiries or concerns related to the Bug Bounty Program, or if you are uncertain about whether your security research is consistent with this policy, please contact via the bug report form. By participating in this Bug Bounty Program, you acknowledge that you have read and agree to the terms and conditions outlined in this policy. The team is available to provide guidance and help ensure that your research is conducted in a safe and responsible manner.
Submit your bug report
Please give as much information as possible and we'll be in touch soon. Be sure to read and understand what's in scope before submitting.