Responsible Disclosure Program

Upsun is a Platform-as-a-Service where customers can host their applications and make them available to the world without worrying about the "how". 

At Upsun, we take the security of our platform seriously. We appreciate the work of security researchers and welcome responsible disclosure that helps us protect our customers and our infrastructure.

This Vulnerability Disclosure Program (VDP) is not a public bug bounty program

Program Overview

Our goal is to give security researchers a clear, simple and safe way to report vulnerabilities affecting Upsun or Blackfire.
This program allows you to responsibly disclose potential vulnerabilities without fear of legal consequences, provided you follow our guidelines.

Program Guidelines

When testing or reporting, you must:

• Avoid affecting our users, systems or data. No service disruption, no degradation, no privacy violations
• Only test using your own accounts, or accounts where you have explicit permission
• Use our official reporting channel (security.txt)
• Keep all findings confidential for 90 days or until we complete remediation
• Coordinate any public disclosure with us

If you follow these rules, we commit to:

• Providing you with Safe Harbor protections
• Working with you to validate and remediate legitimate issues
• High-quality, high-impact submissions may lead to an invitation to our private HackerOne program

Program Scope

In scope

The following assets operated directly by Upsun, Platform.sh or Blackfire:

• *.upsun.com (one subdomain level)
• *.platform.sh (one subdomain level)
• Blackfire dashboards and the Blackfire agent
   

If the domain contains more than one subdomain level, it is almost certainly a customer application and out of scope.

Examples:

• eu.platformsh.site  in scope
• foo.eu.platformsh.site out of scope (customer)

Out of scope

The following are always out of scope:

1. Customer applications

Upsun operates as a PaaS where customers can host their applications and leverage our tooling to enhance their productivity.

According to our shared responsibility model, customers are responsible for the security of their applications so customer applications will always be out of scope for the purpose of this program.

2. Third-party platforms we use

Examples include:

• Drift
• Stripe
• Slack
• Zendesk
• Disqus
• Google Tag Manager
• fonts.googleapis.com
• cdn.jsdelivr.net
   

Research against those vendors should be reported directly to them.

3. Core Ineligible Findings

Including but not limited to:

• Reports without a demonstrated real-world security impact
• Missing headers (X-Frame-Options, CSP, etc.)
• SPF/DMARC/DKIM configuration issues
• TLS/SSH configuration or cipher suite “weaknesses”
• Clickjacking without an actual exploit
• Version disclosures, outdated libraries without exploitation
• Low-impact CSRF (non-sensitive actions), self-XSS
• Rate limiting tests or noisy scanning
• DoS, DDoS, or any volume-based testing
• Social engineering, phishing, physical security issues
   

Full reference: HackerOne Core Ineligible Findings

We do not process these reports and they will never result in a reward or invitation.

Report Structure

When submitting a report, please include:

1. Summary
   Clear explanation of the issue
    
2. Steps to Reproduce / PoC
   Enough detail to validate the vulnerability
    
3. Impact
   Real-world impact demonstrating how security properties can be meaningfully compromised
    

Please do not include real data samples such as PII, cardholder data or other sensitive information. Provide only the information needed for validation.

We strongly discourage the excessive or uncritical use of LLMs to generate reports.

Low-effort AI-generated reports will be rejected immediately and will not result in an invitation to our private program.

If you use an LLM, ensure the content is accurate, concise and validated manually

How to submit

Please submit all reports through the contact listed in our security.txt file:

Before reporting, double-check:

• The asset is in scope
• The vulnerability has real security impact
• You can provide a clear PoC
• It is not covered under the out-of-scope section above

Low-impact or purely theoretical issues will not be accepted.

Private Bug Bounty Program 

We maintain a private bug bounty program on HackerOne.
It is invitation-only and focused on impactful vulnerabilities.

If you believe your expertise could be valuable, feel free to include your HackerOne username
Researchers who demonstrate strong signal, quality and impact may receive an invitation.

We appreciate the time and effort researchers invest in helping us secure Upsun.

Your responsible disclosure helps protect our users, our platform, and the broader ecosystem.