cryptoservers.io
Launch server

Security Disclosure

How to report a security vulnerability in our infrastructure or services, and what happens next.

Effective 2026-04-01 Last updated 2026-04-22 Version v2.0 Signed with 0xA62AEDAF647EE3E6
Cryptoservers legal and policy seal

Report a vulnerability

If you believe you have discovered a security vulnerability affecting cryptoservers.io or the underlying infrastructure, please report it via one of the following channels:

Please do not report vulnerabilities through public channels (GitHub issues, Twitter, Mastodon, support tickets) before we have had the opportunity to respond.

Scope

In-scope

  • The cryptoservers.io web property and all subdomains.
  • The customer control panel (panel.cryptoservers.io).
  • The /.well-known/ directory and its signed content.
  • Hypervisor-escape, host-to-guest, guest-to-guest and live-migration bugs affecting our KVM fabric.
  • Authentication / authorisation bypasses in the panel or its OAuth flow.
  • Exposure of customer PII or payment data.

Out of scope

  • Customer-hosted content or customer-operated services running on our infrastructure — contact the customer directly or use abuse@.
  • Denial-of-service tests against our infrastructure.
  • Social-engineering of our staff.
  • Findings from automated scanners without a demonstrable impact.
  • Missing security headers that do not directly lead to a vulnerability.
  • Outdated software versions on marketing surfaces without a working exploit.

What happens after you report

  1. Acknowledgement within 24 hours, 7 days a week. PGP-signed.
  2. Triage within 72 hours — severity assessment and an initial remediation ETA.
  3. Fix and verification — we ship a fix, ask you to verify, then deploy to production.
  4. Coordinated disclosure — agreed with you, typically 90 days after the fix ships. We will publish a post-mortem with credit to you (or anonymous on request).
  5. Bounty — see the Bounty section below.

Bounty scale

Payable in USD (via bank transfer) or the crypto of your choice (BTC, XMR, LTC, ETH, DASH, BCH, DOGE) at the spot rate on the day of award.

Severity (CVSS v3.1)BountyExample
Critical (9.0 – 10.0)$5,000 – $15,000Hypervisor escape, panel RCE, bulk PII exfiltration
High (7.0 – 8.9)$1,500 – $5,000Authenticated RCE, privilege escalation in the panel, SSRF into internal network
Medium (4.0 – 6.9)$300 – $1,500Stored XSS in panel, IDOR exposing non-PII
Low (0.1 – 3.9)$50 – $300Open redirect, missing rate-limit with no direct impact

Duplicate reports are awarded on a first-valid-submission basis. The top bounty we have paid to date is $12,000 (2025-09-11, hypervisor-live-migration TOCTOU). All valid researchers are listed in the Hall of Fame on opt-in.

Safe harbor

Research conducted within the scope and spirit of this policy is not considered unauthorised access under Saint Kitts law or the law of our operating jurisdictions, and we will not pursue civil or criminal action against researchers acting in good faith. Specifically:

  • Do not exfiltrate more data than is necessary to demonstrate impact — a single screenshot proves the point.
  • Do not run destructive actions (deleting customer data, halting services, modifying production state).
  • Stop and report as soon as impact is demonstrated.
  • Do not share findings with third parties before the coordinated disclosure date.

If you accidentally step out of scope — with good-faith intent — contact us immediately and we will work through it together.

This document is v2.0, effective 2026-04-01, last updated 2026-04-22. PGP-signed version available on request at [email protected].