Vulnerability Disclosure

Vulnerability Disclosure Policy

Version: 1.0 of this document was created on October 23, 2024

At Ambassadors Lab, we consider the security of Cube our top priority. But no matter how much effort we put into system security, there may still be undiscovered vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible and help us better protect our clients and systems.

Guidelines

  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data. Only use exploits to the extent necessary to confirm a vulnerability’s presence.
  • Do not reveal the problem to others until it has been resolved.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible.

Reporting a vulnerability

We accept vulnerability reports through support@cube-cloud.com. Reports may be submitted anonymously. We do not support PGP-encrypted emails at this time, although if data encryption is advisable we can set up alternative data encryption methods for the exchange of information.

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect users of other services and not solely Cube, we may share your report with those services as well.

In order to help us triage and prioritize submissions, we recommend that your reports:

  • Describe the vulnerability, where it was discovered, and the potential impact of exploitation.
  • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).

We will

  • respond to your report within 3 business days with our evaluation of the report and an expected resolution date,
  • not take any legal action against you in regard to the report, if you have followed the instructions above
  • handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission,
  • keep you informed of the progress towards resolving the problem,
  • In the public information concerning the problem reported, we will acknowledge you as the discoverer of the problem (unless you desire otherwise). Affected clients and users will be informed likewise.

Disclosure

Ambassadors Lab is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily available corrective action likely increases versus decreases risk.

Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us.

Privacy Notice