Cloud.ru is a provider of cloud services and AI technologies that makes accessing the cloud and artificial intelligence simple and convenient. The company offers over 100 IaaS and PaaS services, a supercomputer-powered ML platform, and the Cloud.ru Evolution public cloud, built using a combination of proprietary technology and open-source solutions. The provider’s infrastructure is hosted across six Tier III data centers in Russia, ensuring uninterrupted operation during equipment maintenance and upgrades, as well as a minimum availability of 99.982%.
Rewards are paid to individual entrepreneurs and self-employed persons
Program description

Cloud.ru

Cloud.ru is a cloud services and AI technology provider that makes access to cloud infrastructure and artificial intelligence simple and convenient. Cloud.ru offers more than 100 IaaS and PaaS services, an ML platform based on supercomputing infrastructure, and the public cloud Cloud.ru Evolution built on proprietary engineering and open-source technologies. Cloud.ru infrastructure is hosted in Tier 3 data centers in Russia. This supports high availability during maintenance and modernization and provides availability of at least 99.982%.
  • Number 1 in the IaaS segment (iKS-Consulting, 2024)
  • Number 1 in the PaaS segment (iKS-Consulting, 2024)
  • Number 1 in the AI market (CNews Analytics, 2024)
Cloud.ru has more than 1,500 specialists in information technology, cybersecurity, and AI. Cloud.ru is among the largest information technology companies in Russia and is also recognized among top employers on Habr Career.
To learn more, visit Cloud.ru or subscribe to Cloud․ru Tech on Telegram.

Scope of the Cloud.ru bug bounty program

This bug bounty program covers the account portal and the services provided through the Cloud.ru Evolution cloud platform.

Cloud.ru Evolution platform

Cloud.ru Evolution is a public cloud built on Cloud.ru's proprietary technologies. It provides IaaS and PaaS services, GPU-enabled compute resources, and dedicated bare-metal server rentals.
Create an account in the account portal to access the platform.

 

Platform services

Under this bug bounty program, you may test services that are in General Availability. These are services that are fully available to users and do not require activation by customer support.
Domains and services in scope for platform testing:
  • Platform console: console.cloud.ru/* (all products in GA)
  • Service product APIs: *.api.cloud.ru

Other in-scope targets are listed in the program scope.

Traffic identification for program participants

While testing, include the HTTP header X-Bug-Bounty: {Username} in all outbound requests to help ensure your testing traffic is not flagged as malicious.

RCE testing rules

When testing for remote code execution (RCE) vulnerabilities, you must adhere to the following policy.
Only the following actions are allowed on the server:
  • Execute the ifconfig (ipconfig), hostname, and whoami commands.
  • Read the contents of the /etc/passwd and /proc/sys/kernel/hostname files (drive:/boot.ini, drive:/install.ini).
  • Create an empty file in the directory of the current user.
Any other actions require prior approval from our security team in the relevant report on the bug bounty platform.

Prohibited actions

  • Don't exploit a vulnerability beyond what is required to validate and demonstrate the issue.
  • Don't scan Cloud.ru networks or any networks belonging to Cloud.ru customers.
  • Don't share any details of a report without explicit approval from the Cloud.ru security team.
  • Don't continue an attack after achieving a container escape, including attempting to access sensitive data, or attempting vertical or horizontal privilege escalation, or taking similar follow-on actions.
  • Don't perform aggressive testing that could cause a denial of service (DoS or DDoS) to Cloud.ru services.
  • Don't use social engineering techniques.
  • Don't flood the Support section with requests within any project.

Vulnerabilities we are interested in

We are primarily interested in critical vulnerabilities involving access to personal data or container escape. This includes issues that could cause sensitive data exposure or enable privilege escalation, whether horizontal or vertical.
Examples of the types of vulnerabilities we are interested in:
  • Remote code execution (RCE)
  • SQL injection
  • Business logic flaws
  • Privilege escalation within a user's organization
  • Access control vulnerabilities, including cross-tenant and single-tenant isolation issues
  • Exposure of sensitive information
  • Authentication and authorization weaknesses
  • SSRF or XXE that leads to sensitive information disclosure
  • XSS, excluding self-XSS
  • Container escape

Vulnerabilities we do not accept

  • Reports produced by automated tools.
  • RCE findings that do not include container escape and do not demonstrate the ability to move laterally or escalate privileges within the user's project.
  • Information disclosure that does not involve confidential or sensitive information.
  • Disclosure of publicly available user information.
  • Reports that only identify a product or protocol version, without demonstrating a real security impact.
  • Statements about "vulnerable" versions or protocols without evidence of a real, exploitable issue.
  • Insecure default configurations in service images available through the Cloud.ru Marketplace.
  • Disclosure of non-sensitive information, such as a product version.
  • The ability to perform an action that is not available in the user interface, when it does not introduce a security risk.
  • Issues that reveal only user account identifiers and do not expose passwords or other personal data.
  • Vulnerabilities in partner services or products that do not directly impact our security.
  • Blind SSRF that cannot be used to scan or send requests to internal infrastructure.
  • Attacks that depend on vulnerabilities in third-party websites, applications, or libraries, unless you demonstrate a real security impact on the user or the system.
  • Findings related to CSP configuration, unless you demonstrate a real security impact on the user or the system.
  • Logout CSRF, self-XSS, framing, and clickjacking.
  • Attacks that require full control over the user's device and software environment.
  • Reports about the ability to reverse-engineer an application or the lack of code obfuscation.
  • Purely theoretical attacks without evidence of exploitability.

Report requirements

Your report must include at least the following:
  • Link to the affected resource
  • Clear, complete description of the vulnerability
  • Complete reproduction details:
    • Screenshots
    • Full request and response data
    • Proof-of-concept code
    • Identifiers of the accounts used for testing
    • Any other materials needed to reproduce and validate the issue
  • Assessment of the potential impact on the user's project or organization
  • Brief remediation recommendations

Eligibility restrictions

Current employees of Cloud.ru and its affiliates are not eligible to participate in this Bug Bounty program. This also applies to individuals performing work or providing services for Cloud.ru or its affiliates under civil law contracts. This restriction continues for one year after the end of the employment or contractual relationship with Cloud.ru or its affiliates.

Bounty policy

If you identify multiple vulnerabilities with the same underlying root cause, we will issue only one reward.
The Cloud.ru cybersecurity team makes the final determination of vulnerability severity and reward amount based on factors such as:
  • Impact on the security of Cloud.ru customers
  • Impact on business risk
  • Likelihood of exploitation and other factors
  • Potential impact on other users' projects or organizations
 

Duplicate vulnerabilities

If a ticket for the same vulnerability already exists at the time you submit your report, a bounty will be awarded only to the first researcher who reported it.

0-day vulnerabilities

Publicly disclosed 0-day and 1-day vulnerabilities may also be marked as duplicates if the Cloud.ru security team was already aware of the issue and a fix or remediation is already in progress.

Useful links

Documentation for Cloud.ru cloud platforms and services:
Launched May 12, 09:10
Edited Yesterday, 09:48
Program format
Vulnerabilities
Reward for vulnerabilities
by severity level
Critical
₽250K–400K
High
₽100K–250K
Medium
₽30K–130K
Low
₽0–20K
None
₽0–0
Top hackers
Overall ranking
The ranking is still empty