Reporting Vulnerabilities

Be an actor of Cloud security

 

Security is at the core of 3DS OUTSCALE’s business and values.

 

That’s why our company is fully ISO 27001 certified and our Cloud is designed to meet the requirements of organizations in terms of security. We are constantly looking into new standards to ensure the excellence of our infrastructure and the protection of your data at all times.

 

Because security is everyone’s concern, 3DS OUTSCALE encourages reporting of any security vulnerabilities that you may find:

 

 

Want to join our Security team?

We are always looking for new talents! Click here to view our current job openings.

 


 

Reporting Vulnerabilities and Incidents

 

Encounter a vulnerability? That is valuable information that you can share with us through: 

  • a Bug Bounty program (via YesWeHack)
  • an 3DS OUTSCALE support platform (via Zendesk)
  • an email address and an anonymous platform (via Zerodisclo)

 

 

 

 BUG BOUNTY

 

Help track bugs and improve our services as an independent security researcher.

If you discover a security vulnerability, you can be rewarded financially and gain ranks on the Bug Bounty platform according to a points system.

 

Want to join in?

Review the terms of our Bug Bounty programs here https://yeswehack.com/programs/outscale


SUPPORT

 

If you are an 3DS OUTSCALE customer, you can log in to our support platform to report a vulnerability. 

Our teams will respond to every submitted report right away and keep you updated throughout the resolution.

 

What information to provide?

See our recommendations on how to write a vulnerability or incident report


ANONYMOUS

You can also report a security vulnerability while remaining anonymous.

How to do it?

 

Via email at the following address: bugbounty@outscale.com.

Our teams will respond to your report right away.

 

Via the Zerodisclo anonymous platform with YesWeHack.

Zerodisclo guarantees your anonymity through PGP encryption. You can then choose to remain anonymous, or reveal your identity to be contacted or rewarded.


 

Reporting Suspicious Emails

 

If you receive an email claiming to be from 3DS OUTSCALE and you have doubts about its authenticity, do not hesitate to contact us as this can be a phishing email.

These emails are sent by scammers who try to trick you into revealing personal information by making you open an attachment or click a link.

Never click links contained in those suspicious emails as they may contain a virus.

 

 

Wondering if you can trust an email claiming to be from 3DS OUTSCALE?

You can use the following form to report it to us:

 

 
 
 
 

For more information, see the recommendations from ANSSI, the National Cybersecurity Agency of France (French only).

 

 


 

Writing a Vulnerability or Incident Report

 

To fix a vulnerability, our teams need all the information you can provide about it.

Check out these sample reports to help you write yours:

 

 

 

Vulnerability report

 

Title OWASP-A3 Cross-Site Scripting (XSS)
Description  A malicious person can cause an XSS vulnerability.
Source of the vulnerability  Filtering is not correct: the description section is under the user’s control.
Reproduction (PoC) 
  1. Log in to Cockpit account.
  2. Click Instances icon.
  3. Fill in the documentation section with the following value: <script>alert</script>.
Attack scenario An attacker forges the link and sends it to other users.
Recommendations 

It would be better to filter the beginning of tags more effectively by passing it to the appropriate function.

Endpoint (URL)  https://cockpit-eu-west-2.outscale.com/login/
Attachments  Xss.png

 

Incident report

 

Title Issue with an inaccessible instance
Endpoint (URL)  https://cockpit-eu-west-2.outscale.com/login/
Description 

I have an issue with an instance that I cannot access.

  • Account ID: XXXXXXXXXX 
  • Region: eu-west-2 
  • Instance ID: I-xxxxxxxxx
  • Platform: Windows
  • The RDP 3389 port of my SecurityGroup is open on my IP address.
  • Everything was working fine until yesterday evening. As of today, I cannot access my instance.
  • Output message from Cockpit: “Windows is starting, please wait, your instance will be ready in 10 minutes.”

Could you please have a look at this issue?

Attachments screenshot.png