CloudDefense.AI Security Disclosure
Relating to the use of CloudDefense.AI’s Security Disclosure
Best Practices to follow
On CloudDefense.AI, your privacy and safety have always been our top priorities. We have compiled a short checklist of security measures to take as a precaution and to assure the highest level of safety:
- Never, under any circumstances, whether via phone, text, or email, reveal sensitive security information about your company’s financial possession.
- You can rest assured that we will never, ever ask for any of the above-mentioned private information.
- We will not contact you over the phone to request access to your computer via TeamViewer, any desk, etc. in order to disclose sensitive information.
- Keep away from any communication with the sender of such messages.
Privacy Practices
Without your approval, we do not sell or disclose your personal information with unaffiliated third parties for their own advertising or marketing purposes. Consult our Privacy Policy for additional details.
Cloud Infrastructure
CloudDefense.AI is a unified security platform based on DevSecOps infrastructure which delivers convenient, scalable and robust next generation Application Security – from Development to Build to Deployment to Cloud.
Perimeter Security
CloudDefense.AI protects cloud infrastructure from external threats and incorrect permissions, protects the supply chain, and provides security teams with quick and thorough insights into application assets and risks. This gives security teams the information they need to manage risks and enable innovation in their organizations.
We use discovery, posture, entitlement engines to protect all branches by which users can find undiscovered web assets. With the help of our builtin DevSecOps platform users are able to discover SBOM in application code and OSS packages, catch & fix Code, OSS, IaC vulnerabilities and misconfigurations early in development lifecycle.
Host Security
We developed an open source platform that can deliver anti-virus, anti-malware, intrusion prevention systems, intrusion detection systems, file integrity monitoring, application control, application and audit log aggregation, and automated patching solutions that are industry-leading.
Legal Basis for our processing personal data
We developed an open source platform that can deliver anti-virus, anti-malware, intrusion prevention systems, intrusion detection systems, file integrity monitoring, application control, application and audit log aggregation, and automated patching solutions that are industry-leading.
Data Security
On a documented, authorized, no-need-to-use basis, we use environment separation and segregation of duties, as well as strict role-based access control. We use key management services to limit data access. Rest encryption protects stored data, whereas application-level encryption protects sensitive data.
Incident and Change Management
We have implemented mature Change Management processes, allowing us to release thoroughly tested features for you in a reliable and secure manner, allowing you to enjoy the CloudDefense.AI experience with maximum assurance. We take an aggressive approach to Incident Management in terms of both system downtime and security, and we have an Information Security Management System in place to quickly respond to remediate or escalate any Incidents arising from planned or unplanned changes.
Vulnerability Assessment and Penetration Testing
Our internal network security team builds industry driven systems to perform automated VA/PT tasks using state-of-the-art tools. We use static application security testing as well as dynamic application security testing in our continuous integration / continuous deployment pipeline. We also use certified auditors and information security engineers to perform external security testing and audits on a regular basis.
Standards and Certifications
Responsible Disclosure
We at CloudDefense.AI are devoted to protecting our customers’ data and privacy.
We use cutting-edge technology to secure our systems at multiple stages. Our data and privacy security design protects against low-hanging fruit and complex threats. We encourage security enthusiasts and researchers to responsibly report CloudDefense.AI security vulnerabilities.
Send support@clouddefense.ai a bug report with steps to reproduce the issue. Please wait while we investigate and resolve the legitimate issues.
We have implemented mature Change Management processes, allowing us to release thoroughly tested features for you in a reliable and secure manner, allowing you to enjoy the CloudDefense.AI experience with maximum assurance. We take an aggressive approach to Incident Management in terms of both system downtime and security, and we have an Information Security Management System in place to quickly respond to remediate or escalate any Incidents arising from planned or unplanned changes.
Out of scope tests
with following content
-Vulnerability scanners and another automated tools reports
– Disclosure of non sensitive information, such as product version
– Disclosure of public user information, such as nick name / screen name
– Reports based on product/protocol version without demonstration of real vulnerability presence
– Reports of missed protection mechanism / best current practice (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system
– Reports regarding published and non-published SPF and DMARC policies
– Logout CSRF
– Vulnerabilities of partner products or services if Clouddefense.ai users / accounts are not directly affected
– Missed SSL or another BCP for products beyond the main scope
– Security of rooted, jailbreaked or otherwise modified devices and applications
– Ability to reverse-engineer an application, lack of binary protection
– Open redirections are only accepted if security impact, e.g. ability to steal authentication token is identified.
– Plain text, sound, image, video injection into server’s reply outside of UI (e.g. in JSON data or error message) if it doesn’t lead to UI spoofing, UI behavior modification or another negative impact.
– Same site scripting, reflected download and similar attacks with questionable impact
– CSP related reports for domains without CSP and domain policies with unsafe eval and/or unsafe inline
– IDN homograph attacks
– XSPA (IP/port scanning to external networks)
– Excel CSV formula injection, scripting within PDF documents
– Attack which require full access to local account or browser profile
– Attacks with scenarios where vulnerability in a 3rd party site or application is required as a prerequisite and is not demonstrated
– Theoretical attacks without proof of exploitability
– Denial of Service vulnerabilities
– Ability to send large amount of messages
– Ability to send spam or malware file
– Information disclosure via external references outside of Clouddefense.ai control (e.g. search dorks to private robots.txt protected areas)
– Disclosure of unused or properly restricted JS API keys (e.g. API key for external map service)
– Ability to perform an action unavailable via user interface without identified security risks
-Vulnerability scanners and another automated tools reports
– Disclosure of non sensitive information, such as product version
– Disclosure of public user information, such as nick name / screen name
– Reports based on product/protocol version without demonstration of real vulnerability presence
– Reports of missed protection mechanism / best current practice (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system
– Reports regarding published and non-published SPF and DMARC policies
– Logout CSRF
– Vulnerabilities of partner products or services if Clouddefense.ai users / accounts are not directly affected
– Missed SSL or another BCP for products beyond the main scope
– Security of rooted, jailbreaked or otherwise modified devices and applications
– Ability to reverse-engineer an application, lack of binary protection
– Open redirections are only accepted if security impact, e.g. ability to steal authentication token is identified.
– Plain text, sound, image, video injection into server’s reply outside of UI (e.g. in JSON data or error message) if it doesn’t lead to UI spoofing, UI behavior modification or another negative impact.
– Same site scripting, reflected download and similar attacks with questionable impact
– CSP related reports for domains without CSP and domain policies with unsafe eval and/or unsafe inline
– IDN homograph attacks
– XSPA (IP/port scanning to external networks)
– Excel CSV formula injection, scripting within PDF documents
– Attack which require full access to local account or browser profile
– Attacks with scenarios where vulnerability in a 3rd party site or application is required as a prerequisite and is not demonstrated
– Theoretical attacks without proof of exploitability
– Denial of Service vulnerabilities
– Ability to send large amount of messages
– Ability to send spam or malware file
– Information disclosure via external references outside of Clouddefense.ai control (e.g. search dorks to private robots.txt protected areas)
– Disclosure of unused or properly restricted JS API keys (e.g. API key for external map service)
– Ability to perform an action unavailable via user interface without identified security risks
We have implemented mature Change Management processes, allowing us to release thoroughly tested features for you in a reliable and secure manner, allowing you to enjoy the CloudDefense experience with maximum assurance. We take an aggressive approach to Incident Management in terms of both system downtime and security, and we have an Information Security Management System in place to quickly respond to remediate or escalate any Incidents arising from planned or unplanned changes.
Ready to see us in action? Schedule a time
to speak with our team!
Spot unknowns sooner and continuously watch for signs of compromise. Take us on a test drive to see for yourself.
