FinnaCloud Vulnerability Disclosure Policy

Introduction

FinnaCloud is committed to the security and resilience of our cloud platform, services, and the data entrusted to us by our customers. We recognize the vital role of the global security research community in strengthening our defenses. This Vulnerability Disclosure Policy (VDP) establishes clear, collaborative guidelines for responsibly reporting security vulnerabilities. We invite ethical hackers, researchers, and community members to partner with us in good faith to identify and resolve issues before they can be exploited.

Participation in this program requires adherence to these guidelines. In return, we pledge to handle all submissions confidentially, transparently, and without any form of retaliation. Note that any unauthorized access or activities breaching our Terms of Service or applicable laws remain strictly prohibited.

Scope

In Scope

This policy covers vulnerabilities affecting the following FinnaCloud-owned assets:

  • Publicly accessible endpoints on *.finnacloud.com (e.g., APIs, web applications, and public portals), excluding client-specific subdomains such as *.client.finnacloud.com and *.client.finnacloud.net.
  • Core FinnaCloud services, encompassing storage, compute, networking, and identity management functionalities.
  • Official FinnaCloud mobile and desktop applications.
  • Any open-source projects directly maintained by FinnaCloud.

We welcome reports on high-impact issues, including but not limited to:

  • Cross-site scripting (XSS) and cross-site request forgery (CSRF).
  • Server-side request forgery (SSRF).
  • Authentication or authorization mechanism bypasses.
  • Injection vulnerabilities (e.g., SQL, command, or template injection).
  • Remote code execution (RCE).
  • Misconfigurations resulting in sensitive data exposure or privilege escalation.

Out of Scope

To focus our efforts, the following are not eligible for review, acknowledgment, or rewards under this policy:

  • Vulnerabilities in third-party services, libraries, or dependencies (e.g., flaws in upstream OpenSSL), unless uniquely exacerbated by FinnaCloud's implementation.
  • Client-specific subdomains like *.client.finnacloud.com and *.client.finnacloud.net.
  • Denial-of-service (DoS) or resource exhaustion attacks, including those impractical to execute at scale.
  • Attacks reliant on social engineering, phishing, spam, or physical security.
  • Issues requiring non-standard setups, such as jailbroken devices or outdated software.
  • Previously known or publicly disclosed vulnerabilities without a novel, reproducible proof-of-concept.
  • Best-practice deviations with negligible impact, such as missing security headers (absent exploitation) or self-XSS.
  • Any conduct violating laws, our Terms of Service, or ethical boundaries.

Reporting Guidelines

We value thorough, actionable reports that enable swift remediation. Security is paramount— do not send full vulnerability details unencrypted. To report a vulnerability:

  1. Initial Contact: Email [email protected] with a high-level summary of the issue (e.g., "Potential XSS in public API endpoint") and request a secure submission method. Do not include proof-of-concept code, steps to reproduce, or sensitive details in this initial email.
  2. Secure Submission: Upon receipt, we will promptly provide a secure channel, such as:
    • A short-term PGP key for encrypted email.
    • A temporary secure upload service or shared link where you can document and submit the full report.
  3. Document Comprehensively: In your secure submission, include:
    • A concise vulnerability summary.
    • Reproducible steps (e.g., curl commands, screenshots, or video demos).
    • Affected environment (e.g., browser/OS versions, service endpoints).
    • Assessed impact (e.g., confidentiality/integrity/availability risks).
    • Proof-of-concept code, if applicable.
    • Remediation recommendations.
  4. Maintain Confidentiality: Refrain from public disclosure—via blogs, social media, or conferences—until we confirm resolution and agree on timing.
  5. Prioritize Safety: Test minimally and non-destructively. Never access, alter, or exfiltrate real user data, even for verification.

The [email protected] address has an autoresponder setup for automated confirmation. If you do not receive this confirmation or encounter a mail server error, please contact [email protected] or a sales representative for assistance.

We accept anonymous initial contacts, though providing a contact enables collaboration and follow-up. Expect an automated confirmation upon initial email receipt, followed by secure method details within 4 hours during business hours.

Our Response Process

Our goal is efficient, empathetic collaboration:

  1. Acknowledgment: Within 24 hours for all reports; immediate for criticals.
  2. Triage: Full evaluation within 2 business days, scoring severity via CVSS v3.1 (or equivalent) and confirming scope.
  3. Validation & Remediation: Partner with you to verify and patch. High/critical issues targeted for fix within 14 days; others within 60 days.
  4. Closure: Notify you of deployment, including any interim mitigations.
  5. Coordinated Disclosure: Post-resolution, we'll discuss joint publication (with your approval) or private attribution.

Invalid or out-of-scope reports receive a polite explanation. Escalations or disputes can be directed to our security lead.

Rewards and Recognition

FinnaCloud maintains a discretionary bug bounty program to incentivize quality contributions. Eligible reports are evaluated holistically—considering severity, exploitability, and report clarity—with rewards calibrated accordingly and kept confidential.

Severity (CVSS Score)Eligibility Status
Critical (9.0–10.0)High Priority
High (7.0–8.9)Eligible
Medium (4.0–6.9)Eligible
Low (0.1–3.9)Case-by-Case

Payouts, upon verification and a simple agreement, occur via secure methods (e.g., wire transfer or cryptocurrency). We also offer non-monetary recognition, such as Hall of Fame listings or co-authorship on advisories (opt-in only). Duplicates earn prorated or no credit.

Legal Safe Harbor

Good-faith research aligned with this policy enjoys broad protections from FinnaCloud:

  • No civil lawsuits, criminal referrals, or service disruptions for compliant testing.
  • Coverage extends solely to in-scope assets and non-malicious actions.
  • Researchers must independently ensure legal compliance in their jurisdiction.

We reciprocate by safeguarding your findings from misuse. Violations of this trust may void protections.

Contact and Updates

Inquiries? Reach [email protected]. If you encounter issues with this address (e.g., no autoresponder or delivery errors), contact [email protected] or a sales representative.

Last updated: November 4, 2025. Revisions will be announced via email to known contributors and posted publicly.

Thank you for safeguarding FinnaCloud's ecosystem—your vigilance fortifies us all.

Effective: 1 October 2025 • Last Reviewed: 1 October 2025

FinnaCloud
TheFinnaCompany Ltd is registered in England and Wales.
Company Number:13957249
GB VAT Number:438175773
TR VAT Number:8430853047
Report Abuse
FinnaCloud is a brand of TheFinnaCompany Ltd. © 2022-2025 TheFinnaCompany Ltd
Regulatory Compliance

Our Socials

All content on this website is protected under the FinnaCloud Proprietary Software License Agreement. You are authorized to access and view the content provided. For full details, please see the License Agreement.