This Reporting Guideline will provide information and recommendations on reporting a malfunction and information security incident to IONOS Cloud.
A malfunction refers to an operational failure, disruption, or issue within the cloud computing services offered by IONOS that impacts the security of the data and systems hosted on the cloud. Network connectivity issues, server failures, storage problems, and performance degradation are common examples of malfunctions. As malfunctions can lead to information security incidents, they should be reported to prevent them.
An information security incident involves any event or occurrence that compromises the security of IONOS cloud infrastructure, services, or data within its environment. These incidents can impact the confidentiality, integrity, and availability of data and systems hosted on the IONOS platform. Here are some examples of information security incidents:
Denial of Service (DoS) attacks: Malicious attempts to overload cloud services, making them unavailable to legitimate users.
Data Breaches: Unauthorised access to sensitive data stored on the cloud, leading to the exposure or theft of confidential information.
Malware Infections: Introduction of malware into the cloud environment, which can lead to data loss, system compromise, or unauthorized access.
Ransomware Attacks: Malware that encrypts a user's files and demands a ransom for their release, often resulting in data loss or financial impact.
Insider Threats: Malicious actions by individuals with legitimate access to the cloud environment, resulting in security breaches or data exfiltration.
If you have identified a malfunction or security incident that may affect IONOS, report it to IONOS Cloud Support.
Please provide as much information about the security event as possible, but at least:
Type of the event.
Date and time (also timezone) of the event.
Provide a description and any other information relevant to the event, like log messages, if available.
Contact information where we can reach you for follow-up.
Note: Do not include sensitive data, such as your password in your description.
Our system administrators are available 24 hours a day, 365 days a year. Upon receipt of a support request, you will be contacted by a trained system administrator. The following response times apply to incoming support requests:
Reporting a malfunction or security incident related to IONOS Cloud (without Cubes) < 1 hour
Reporting a malfunction or security incident related to IONOS Cloud Cubes < 6 hours
Info: IONOS will not seek prosecution of any security researcher who reports, in good faith and in accordance with this policy, any security event on an in-scope IONOS service.
This Reporting Guideline will provide information and recommendations on reporting a vulnerability to IONOS Cloud.
A vulnerability is a weakness in IONOS systems, configurations, or services that could be exploited by malicious actors to compromise data and resources stored or processed on the cloud platform. Vulnerabilities can be caused by misconfigurations, software bugs, inadequate security controls, or human errors. Here are some examples of vulnerabilities:
Insecure APIs: Vulnerabilities in the APIs provided by the cloud service that could be exploited to gain unauthorized access to resources or manipulate data.
Technical Vulnerabilities: An IONOS software asset suffers from a security vulnerability such as an XSS or SQLi flaw.
Weak Access Controls: Inadequate authentication mechanisms or misconfigured access control policies that allow unauthorized users to access sensitive data or services.
Infrastructure Vulnerabilities: Weaknesses in the underlying infrastructure, such as misconfigured servers, networking components, or storage systems, that could be exploited to compromise the IONOS Cloud environment.
We encourage every partner, customer and member of the security community to report findings in scope to us.
The following security events in IONOS products and services are in the scope of this policy:
Note: All security events that impact the confidentiality, integrity or availability of our products and services and thus put our customers' data at risk.
The following vulnerabilities in IONOS products and services are not in the scope of this policy. Please refrain from reporting them to us:
Note:
— TLS configuration specifics. For example, no support for TLSv1.3, a specific cipher suite configuration, and so on.
— Reports indicating that our services do not fully align with the "best practices". For example, missing security headers or suboptimal email-related configurations such as Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC) and so on.
If you have identified any vulnerability in our systems, configurations, or services that may have an impact on IONOS, report this to us by sending an email to security@ionos.com.
Note:
If you prefer encrypted communication, use our GPG key.
— Key-Id: 7A4187A8121BE832B487BE48BFE5B220188CF3A5
— Fingerprint: 7A41 87A8 121B E832 B487 BE48 BFE5 B220 188C F3A5
Please provide as much information about the vulnerability as possible, but at least:
Who is affected by the threat? Whenever possible, include the affected URLs.
How can the vulnerability be exploited? It may be helpful to include screenshots to illustrate the vulnerability.
All the relevant details including the steps required to reproduce the issue.
Note: Do not send confidential information, such as your password or any other person-related data.
Upon receipt of your report, our security team will:
Acknowledge the arrival of your report and assign you a unique identifier, which can be found in the email's subject line. Please keep the subject line intact and use the identifier in all further correspondences. We typically reply within one working day.
Check the validity of the finding and whether the report duplicates an earlier case. We will contact you if we have further questions.
If the finding is valid, it will be forwarded to the appropriate internal team for triage and to work on a remediation plan. This process may take a while. You are welcome to inquire about the status of the process, but we recommend that you limit this to no more than once every 14 days.
We will contact you once the issue is resolved, and this may need testing at your end to ensure the problem is fixed.
We will contact you in advance if we must share your findings with another organization.
IONOS will not seek prosecution of any security researcher who reports, in good faith and in accordance with this policy, any security event on an in-scope IONOS service.
There is currently no official bug bounty program at IONOS, but we are inducting outstanding ethical security researchers into our Hall of Fame.
This Reporting Guideline will provide information and recommendations on reporting an information security event to IONOS Cloud.
At IONOS, we take the security of our customers' data very seriously. We support a responsible disclosure process and appreciate reports by well-intentioned, ethical security researchers. We are committed to thoroughly investigating all reported information security events and resolving issues to protect our customers. This document outlines how IONOS collaborates with its partners, customers, and the security community, detailing the scope and the process involved.
An information security event refers to any occurrence that has the potential to impact the security of an organization's information technology systems or data. It includes: