Legal Agreements for CloudLinux Products

Vulnerability Reporting Policy

At CloudLinux we take the security of our customers seriously and try to resolve any security issues as soon as they are reported.

If you found any security issues with CloudLinux products, services, or systems, we appreciate your prompt disclosure of such issues. Please provide full details about the suspected vulnerability so that the CloudLinux security team may verify and reproduce the issue. 

You can use CloudLinux’s Security PGP key to encrypt sensitive information you send via email.

Please submit the report to [email protected].

Policy Scope

We encourage you to discover and report to us any vulnerabilities in the company’s products:

  • CloudLinux OS software, including its components, such as kernel, apache, LVE Manager, Cage FS, MySQL Governor, Selectors, Hardened PHP, mod_lsapi, SecureLinks, Slow Site analyzer, PHP X-Ray, Centralized Monitoring, Accelerate WP, etc.
  • TuxCare Live Patching software, such as KernelCare Enterprise, LibraryCare, KernelCare IoT, QEMUCare, DBCare, including vulnerabilities in any of the software supported by TuxCare
  • Imunify360 software, including its components, such as Firewall, IDS/IPS, Malware scanning, Proactive Defense, etc.
  • Imunify Email software
  • KuberLogic software.

We also accept vulnerabilities in company services and systems if there is a proven security impact. Please always carefully check whose assets you are testing when conducting research.

Out of Scope Vulnerabilities

The list of out-of-scope vulnerabilities includes, but is not limited to:

  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user’s device
  • Previously known vulnerable libraries without a working Proof of Concept
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Missing best practice, configuration, or policy suggestions including SSL/TLS configurations that do not contain a fully functional proof-of-concept
  • Missing/enabled HTTP header/methods which do not lead directly to a security vulnerability
  • Any activity that could lead to the disruption of our service (DoS)
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Missing best practices in Content Security Policy
  • Missing HttpOnly or Secure flags on insensitive cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
  • Tabnabbing
  • Open redirect – unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction