Bubl Cloud welcomes security research. If you discover a vulnerability in our systems, services, or products, this policy explains how to report it and what to expect in return.
How to report
Send reports to our security team by email. Include enough detail for us to reproduce and assess the issue.
PGP key available on request for encrypted reports. Machine-readable contact data at /.well-known/security.txt.
What to include
A good report helps us triage and fix faster. Please include:
Description and impact What the vulnerability is and what an attacker could do with it
Reproduction steps Proof of concept, requests, or scripts we can run to reproduce the issue
Affected components URLs, endpoints, or systems where the issue occurs
Credit preference Your preferred name or handle for the hall of fame, or a request to remain anonymous
Prior disclosure Whether the finding has been shared with any other party
Scope
In scope
Main website www.bubl.cloud and subdomains owned by Bubl Cloud B.V.
Platform Data Vaults, Secure Cloud Compute, Dedicated GPU, managed LLM endpoints, and hosting services
APIs and SDKs Anything published by Bubl Cloud
Vault isolation Issues in the sandbox, isolation layer, or access control between vaults
Out of scope
Third-party applications Apps running inside customer vaults. Report to the application owner.
Integration partners Systems operated by our partners. Report issues directly to the partner running the system.
Social engineering Attacks against staff, customers, or partners
Physical attacks Offices or datacenter facilities
Denial of service Stress testing and load testing
Low-impact findings Missing headers or TLS configuration without a working exploit, scanner output without a proof of concept, self-XSS, and issues requiring unrealistic user interaction
What to expect from us
We aim to respond quickly and keep you informed throughout the process. Our target response times:
5 days
Acknowledgement of your report
10 days
Initial triage and severity assessment
30 days
Status updates until resolution
Communication is in English or Dutch. We notify you once the vulnerability is fixed and coordinate on public credit.
Coordinated disclosure
Keep findings confidential until a fix is deployed. Our target resolution window is 90 days from the date of the report. If we need more time, we will communicate clearly and agree a revised timeline with you.
After remediation, you are free to publish. We are happy to coordinate on timing, wording, and public credit.
Safe harbour
Good-faith security research carried out in line with this policy is authorised. We will not pursue legal action against researchers who:
Follow this policy Act within the scope and rules set out here
Respect privacy Avoid privacy violations, data destruction, and service disruption
Stop at customer data Halt testing and contact us immediately if customer data is encountered
Minimise access Do not exfiltrate data beyond what is strictly needed to demonstrate the issue
Coordinate disclosure Do not publish or share findings before a fix is in place
If a third party initiates legal action against a researcher acting in good faith under this policy, we will take reasonable steps to confirm the activity was authorised.
This policy does not override contractual obligations or applicable law. Researchers remain responsible for complying with the laws of their jurisdiction.
Rules for researchers
Test in scope only Do not touch systems outside the list above
Do not access customer data Never read, modify, or delete it
Preserve availability Do not degrade or disrupt the service
Clean up Report and delete any customer data accessed accidentally
Act in good faith Do not use findings for extortion or public pressure
Recognition and hall of fame
We maintain a hall of fame for researchers who report valid, previously unknown vulnerabilities. Credit is given under your preferred name or handle. Bubl Cloud does not offer monetary rewards at this time.
Be the first
Researchers who report a valid vulnerability will be credited here. Submit a finding to security@bubl.cloud and we will add you after coordinated disclosure.
Found something?
Send a report to our security team. We acknowledge every valid report within five business days.
