Last updated: July 12, 2026
1. Responsible disclosure
If you believe you found a vulnerability in a CloudyMax-owned system, report it promptly and give us reasonable time to investigate and fix it before public disclosure.
When research is performed in good faith and follows this policy, CloudyMax will not intentionally initiate legal action for the research described in the report.
2. In scope
CloudyMax-owned public website, account dashboard, authentication flow, billing activation logic, official APIs, and support workflows are in scope unless we state otherwise.
3. Out of scope
The following activities are not allowed under this policy.
- Social engineering, phishing, physical attacks, or employee targeting.
- Denial-of-service, stress testing, spam, brute force, or high-volume scanning.
- Accessing, copying, modifying, deleting, or exposing data that does not belong to you.
- Testing third-party systems, payment processors, app stores, hosting providers, or vendors.
- Extortion, public disclosure before remediation, or using a vulnerability for unauthorized advantage.
4. Report requirements
A strong report includes the affected URL or asset, vulnerability type, clear reproduction steps, proof of concept, screenshots or video if safe, potential impact, accounts used for testing, and suggested remediation if available.
Do not include actual customer personal data in your report. If you accidentally encounter sensitive data, stop testing and report what happened without copying or sharing the data.
5. Rewards
CloudyMax may offer discretionary recognition or rewards for high-quality reports, but no reward is guaranteed unless confirmed in writing.
6. Contact
Security reports may be sent to support@cloudymax.com with SECURITY REPORT in the subject.