Security at CubePath
We take the security of our customers' infrastructure seriously. If you've found a vulnerability, we want to hear about it, and we'll work with you to fix it.
Program scope
Anything that affects the confidentiality, integrity or availability of our customers' data or our production systems is in scope.
In scope
- cubepath.com and all production subdomains
- Customer dashboard and admin dashboard
- Public APIs (api.cubepath.com) and identity / SSO flows
- Authentication, authorization and session management
- VPS / baremetal provisioning, billing and quota logic
- Internet-facing infrastructure operated by CubePath
Out of scope
- Volumetric DoS / DDoS, brute-force or load testing
- Automated scanner output without a working proof of concept
- Best-practice suggestions with no impact (e.g. missing headers, SPF/DMARC)
- Vulnerabilities in third-party services we don't operate
Severity & recognition
We classify reports by impact using CVSS as a guideline. The higher the impact, the higher the reward.
| Severity | Examples | Reward |
|---|---|---|
| Critical | Remote code execution, authentication bypass, full account takeover, mass data exposure | $300 - $1,000 |
| High | Privilege escalation, IDOR on sensitive data, stored XSS in the dashboard | $75 |
| Medium | CSRF with impact, reflected XSS, sensitive information disclosure | $50 |
| Low | Limited-impact issues, minor misconfigurations | $25 |
Valid reports are rewarded according to the table above, plus public credit with your consent. Final amounts depend on impact, exploitability and report quality.
Disclosure process
From the moment you submit, here's what to expect.
Submit
Send a detailed report with a proof of concept through the form below.
Triage
We acknowledge within 48 hours, reproduce the issue and assign a severity.
Remediation
Our engineers fix the vulnerability and keep you updated on progress.
Recognition
Once resolved, we credit you (with consent) and coordinate disclosure.
Rules of engagement
Help us protect our customers by following these guidelines while you research.
Please do
- Provide clear steps to reproduce and a proof of concept
- Test only against your own accounts and resources
- Report issues promptly after you discover them
- Keep data access to the minimum needed to demonstrate impact
- Give us reasonable time to remediate before disclosing
Please don't
- Access, modify or delete other users' data
- Run DoS / DDoS attacks or send spam
- Use automated scanning that degrades our services
- Publicly disclose a vulnerability before it is fixed
Frequently asked questions
Report a vulnerability
Send us the details and our security team will get back to you. The more information you provide, the faster we can validate and fix the issue.
Help us keep CubePath secure
Found something that doesn't look right? Responsible disclosure makes the platform safer for everyone.