Report a Security Event

This Reporting Guideline will provide information and recommendations on reporting a security event to IONOS Cloud.

At IONOS, our utmost priority is the security of our customers' data. We support a responsible disclosure process and appreciate reports by well-intentioned, ethical security researchers. We are committed to thoroughly investigating all reports and resolving issues to protect our customers. This policy outlines how IONOS collaborates with its partners, customers, and the security community, detailing the scope and the process involved.

What is a Security Event?

As per ISO/IEC 27000:2018, a security event is an occurrence that could compromise the confidentiality, integrity, or availability of an organization's information assets. These events could include vulnerabilities, security incidents, and malfunctions. They may manifest as anomalies, violations of security policies, or other occurrences that could impact the organization's information security.

How to report a Security Event?

Scope

We encourage every partner, customer and member of the security community to report findings in scope to us.

The following security events in IONOS products and services are in scope of this policy:

All security events that impact the confidentiality, integrity or availability of our products and services and thus put our customers' data at risk.

The following security events in IONOS products and services are not in scope of this policy. Please refrain from reporting them to us:

  • Denial of Service security events (i.e. overwhelming our services with a high volume of requests)

  • TLS configuration specifics (e.g. no support for TLSv1.3, a specific cipher suite configuration, etc.)

  • Reports indicating that our services do not fully align with "best practice" (e.g. missing security headers or suboptimal email-related configurations such as SPF, DMARC etc.)

Bug Bounty Program

At the moment, IONOS does not have an official bug bounty program.

Reporting a Security Event

We recommend that you read this document entirely before reporting any security event to ensure that you understand the policy and can act in compliance with it. If your finding is within the scope, email your report and the following information to security@ionos.com:

Note:

  • If you prefer encrypted communication, use our GPG key.

    • Key-Id: 7A4187A8121BE832B487BE48BFE5B220188CF3A5

    • Fingerprint: 7A41 87A8 121B E832 B487 BE48 BFE5 B220 188C F3A5.

  • Do not send confidential information, such as your password or any other person-related data.

  • Who is affected by the threat? Whenever possible, include the affected URLs.

  • How can the vulnerability, incident, or malfunction be exploited? It may be helpful to include screenshots to illustrate the security event.

  • All the relevant details including the steps required to reproduce the issue. Note: Do not include sensitive data, such as your password in your description.

What to Expect

Upon receipt of your report, our security team will:

  • Acknowledge the arrival of your report and assign you a unique identifier, which can be found in the email's subject line. Please keep the subject line intact and use the identifier in all further correspondences. We typically reply within one working day.

  • Check the validity of the finding and whether the report duplicates an earlier case. We will contact you if we have further questions.

  • If the finding is valid, it will be forwarded to the appropriate internal team for triage and to work on a remediation plan. This process may take a while. You are welcome to inquire about the status of the process, but we recommend that you limit this to no more than once every 14 days.

  • We will contact you once the issue is resolved, and this may need testing at your end to ensure the problem is fixed.

We will contact you in advance if we must share your findings with another organization.

IONOS will not seek prosecution of any security researcher who reports, in good faith and in accordance with this policy, any security event on an in-scope IONOS service.

Feedback

If you wish to provide feedback or suggestions on this policy, contact our security team.

Last updated