Bug Bounty Program

Last updated: Feb 9, 2026

Introduction #

CloudQuery is committed to the security of our platform and our users' data. We welcome responsible security research and appreciate the efforts of security researchers who help us identify and address vulnerabilities.
If you believe you have discovered a potential security vulnerability in one of our products, we encourage you to discreetly report it to us at [email protected], quickly and responsibly.
Our Bug Bounty Program is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

Acceptance #

By participating in this Bug Bounty Program, you agree to comply with the guidelines outlined in this document. CloudQuery reserves the right to modify the terms of this program at any time.

Guidelines #

Under this program, “research” means activities in which you:
  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence.
  • Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Do not submit a high volume of low-quality reports.
  • Once you’ve established that a vulnerability exists or if you encounter any sensitive data (including personally identifiable information, financial information, proprietary information, or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Scope #

The following assets are in scope for this program:
  • docs.cloudquery.io - CloudQuery CLI
  • platform.cloudquery.io - CloudQuery Platform

Out of Scope #

CloudQuery website domains and any related subdomains are out of scope.
The following activities are out of scope for the CloudQuery Bug Bounty Program. Conducting any of the activities below will result in disqualification from the program permanently.
  • Targeting assets of CloudQuery's customers
  • Any vulnerability obtained through the compromise of CloudQuery customer or employee accounts
  • Any Denial of Service (DoS) attack against CloudQuery products or CloudQuery customers
  • Social engineering of CloudQuery employees, contractors, vendors, or service providers
  • Knowingly posting, transmitting, uploading, linking to, or sending malware
  • Pursuing vulnerabilities which send unsolicited bulk messages (spam)
  • In case a vulnerability report will be submitted about an item that is included in the above list, CloudQuery will not review and the report will be rejected.

Reporting a Suspected Vulnerability #

If you believe you have found a security vulnerability, please report it to us at [email protected].
To enable us to respond more efficiently to your report, kindly provide any relevant supporting materials (such as proof-of-concept code, tool output, etc.) that would aid us in comprehending the nature and severity of the vulnerability.

Service Level Agreement (SLA) #

CloudQuery is committed to being responsive and keeping you informed of our progress as we investigate and/or mitigate your reported security concerns. You will receive a non-automated response to your initial contact as quickly as possible, confirming receipt of your reported vulnerability and assigning you a tracking number.
The amount of time required to validate a reported vulnerability can change per case, and it depends on the complexity and severity of the issue. We make every effort that all reports and answers will be provided no longer than 120 days.

Disclosure #

CloudQuery requests that you do not publicly disclose any information regarding the vulnerability or exploit the issue until it has had the opportunity to analyze the vulnerability, respond to the notification, and notify key users, customers, and partners.
Confirmation of Non-Vulnerabilities: If the issue cannot be validated, or is not found to originate in a CloudQuery product, this will be shared with you.

CloudQuery Updates, In Your Inbox Weekly

Product

Resources

Legal

© 2026 CloudQuery, Inc. All rights reserved.