Vulnerabilities

This Reporting Guideline will provide information and recommendations on reporting a vulnerability to IONOS Cloud.

What is a vulnerability?

A vulnerability is a weakness in IONOS systems, configurations, or services that could be exploited by malicious actors to compromise data and resources stored or processed on the cloud platform. Vulnerabilities can be caused by misconfigurations, software bugs, inadequate security controls, or human errors. Here are some examples of vulnerabilities:

  • Insecure APIs: Vulnerabilities in the APIs provided by the cloud service that could be exploited to gain unauthorized access to resources or manipulate data.

  • Technical Vulnerabilities: An IONOS software asset suffers from a security vulnerability such as an XSS or SQLi flaw.

  • Weak Access Controls: Inadequate authentication mechanisms or misconfigured access control policies that allow unauthorized users to access sensitive data or services.

  • Infrastructure Vulnerabilities: Weaknesses in the underlying infrastructure, such as misconfigured servers, networking components, or storage systems, that could be exploited to compromise the IONOS Cloud environment.

Scope

We encourage every partner, customer and member of the security community to report findings in scope to us.

The following security events in IONOS products and services are in the scope of this policy:

Note: All security events that impact the confidentiality, integrity or availability of our products and services and thus put our customers' data at risk.

The following vulnerabilities in IONOS products and services are not in the scope of this policy. Please refrain from reporting them to us:

Note:

— TLS configuration specifics. For example, no support for TLSv1.3, a specific cipher suite configuration, and so on.

— Reports indicating that our services do not fully align with the "best practices". For example, missing security headers or suboptimal email-related configurations such as Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC) and so on.

How to report?

If you have identified any vulnerability in our systems, configurations, or services that may have an impact on IONOS, report this to us by sending an email to security@ionos.com.

Note:

If you prefer encrypted communication, use our GPG key.

Key-Id: 7A4187A8121BE832B487BE48BFE5B220188CF3A5

Fingerprint: 7A41 87A8 121B E832 B487 BE48 BFE5 B220 188C F3A5

Please provide as much information about the vulnerability as possible, but at least:

  • Who is affected by the threat? Whenever possible, include the affected URLs.

  • How can the vulnerability be exploited? It may be helpful to include screenshots to illustrate the vulnerability.

  • All the relevant details including the steps required to reproduce the issue.

Note: Do not send confidential information, such as your password or any other person-related data.

What to expect?

Upon receipt of your report, our security team will:

  • Acknowledge the arrival of your report and assign you a unique identifier, which can be found in the email's subject line. Please keep the subject line intact and use the identifier in all further correspondences. We typically reply within one working day.

  • Check the validity of the finding and whether the report duplicates an earlier case. We will contact you if we have further questions.

  • If the finding is valid, it will be forwarded to the appropriate internal team for triage and to work on a remediation plan. This process may take a while. You are welcome to inquire about the status of the process, but we recommend that you limit this to no more than once every 14 days.

  • We will contact you once the issue is resolved, and this may need testing at your end to ensure the problem is fixed.

  • We will contact you in advance if we must share your findings with another organization.

IONOS will not seek prosecution of any security researcher who reports, in good faith and in accordance with this policy, any security event on an in-scope IONOS service.

Bug bounty program

There is currently no official bug bounty program at IONOS, but we are inducting outstanding ethical security researchers into our Hall of Fame.

Last updated

Revision created

commented latest release