Security Vulnerability Disclosure Policy
About CSOH: Cloud Security Office Hours is a volunteer-run community for cloud security professionals. We are not a company and do not produce software products or services. This policy covers security issues related to our website (csoh.org) and community resources only.
Scope
This security policy applies to vulnerabilities found in:
- The csoh.org website - our public-facing community website
- Our web infrastructure - server configurations, DNS, SSL/TLS, hosting
- Community resources - publicly hosted materials and documentation
Out of Scope
The following are NOT covered by this policy:
- Third-party services we link to (Zoom, PayPal, etc.)
- Third-party security tools, labs, or CTF platforms listed in our resources
- User-generated content shared during community sessions
- Social engineering attacks against community members
- Theoretical vulnerabilities without proof of exploitability
What We Consider a Security Vulnerability
We take security seriously and welcome reports of genuine security issues, including:
- Cross-Site Scripting (XSS)
- SQL Injection or other injection attacks
- Server-Side Request Forgery (SSRF)
- Authentication or authorization bypass
- Sensitive data exposure (e.g., exposed credentials, API keys)
- Security misconfigurations with exploitable impact
- Content Security Policy (CSP) bypasses
How to Report a Vulnerability
If you discover a security vulnerability on csoh.org, please report it responsibly:
Preferred method: Email us at admin@csoh.org or reach out to one of the community organizers during our Friday Zoom session.
What to include in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact and severity
- Any proof-of-concept code or screenshots (if applicable)
- Your suggested remediation (optional but appreciated)
⏱ What to Expect
As a volunteer-run community, our response times may vary:
- Acknowledgment: We aim to acknowledge receipt within 7 days
- Initial assessment: We will assess the issue and communicate our findings within 14 days
- Resolution timeline: Depends on severity and complexity - we'll keep you updated
- Public disclosure: We appreciate coordinated disclosure and will work with you on timing
Our Commitment
If you report a security issue in good faith, we will:
- Not pursue legal action against you
- Work with you to understand and validate the issue
- Keep you informed about our progress toward resolution
- Publicly acknowledge your contribution (if you wish) after the issue is resolved
Responsible Disclosure Guidelines
When researching and reporting vulnerabilities, please:
- Do not access, modify, or delete data that doesn't belong to you
- Do not perform actions that could harm our website availability (DoS/DDoS)
- Do not disclose the issue publicly until we've had a chance to address it
- Do not exploit the vulnerability beyond what's necessary for validation
- Do test only against csoh.org (not our members or users)
- Do stop testing if you encounter user data and report immediately
Recognition
While we don't offer bug bounties (we're an all-volunteer community with no funding), we deeply appreciate responsible disclosure. With your permission, we'll:
- Publicly thank you in our community
- Add your name to a security researchers acknowledgments section (coming soon)
- Offer a recommendation/testimonial for your professional profile
Security.txt
This policy is also published in machine-readable format according to RFC 9116:
https://csoh.org/.well-known/security.txt
Contact
For security-related inquiries:
- Email: admin@csoh.org
- Community: Reach out to organizers during our Friday Zoom sessions
Note: This policy may be updated periodically. Last updated: May 23, 2026.
