RackGenius takes security seriously. We run production infrastructure for real customers, which means our standard has to be higher than "good enough." Even with strong processes, humans make mistakes, and vulnerabilities can slip through. If you find an issue, we want to hear about it so we can fix it quickly and keep everyone safer.

This page explains how to report vulnerabilities responsibly, what’s in scope, what’s out of scope, and what we will (and won’t) reward.

Quick summary

  • We welcome good-faith security reports that help us protect customer data and our platform.

  • We do not offer guaranteed cash bounties. If we provide a reward, it will usually be store credit, service credit, swag, or public recognition, at our discretion.

  • We do not accept low-signal reports like typos, UI/UX issues, misconfigured DNS records, or "best practice" findings without real impact.

  • Do not publicly disclose until we’ve fixed the issue (or agreed on a disclosure plan together).

How to report a vulnerability

Send your report to: [email protected]

When possible, include:

  • A clear description of the issue and why it matters

  • Steps to reproduce (exact URLs, endpoints, IPs, parameters, request/response samples, screenshots)

  • Proof of concept (PoC) that demonstrates impact without accessing customer data

  • Any constraints or special conditions (auth level, account type, plan, feature flag, etc.)

  • Your suggested mitigation (if you have one)

If you prefer encrypted communication, include a request for our PGP key in your email, and we’ll provide it.

Rules of engagement

To keep testing safe and legal for everyone, we ask that you:

  1. Act in good faith and avoid privacy-invasive behavior.

  2. Do not exfiltrate data. Only access the minimum data needed to demonstrate the vulnerability.

    • Do not access, download, or modify other customers’ data.

  3. Do not disrupt service. No denial-of-service testing, load testing, or actions that degrade stability.

  4. Do not use social engineering. No phishing, vishing, pretexting, or impersonation.

  5. Do not persist. No backdoors, malware, crypto-miners, persistence mechanisms, or lateral movement.

  6. Do not disclose publicly until we confirm a fix or we mutually agree on a disclosure timeline.

  7. One report per issue. If multiple endpoints are affected by the same root cause, report it once with examples.

If you’re ever unsure whether a testing technique is acceptable, choose the safer option and explain your concern in the report.

Safe harbor (good-faith protection)

If you follow this policy and operate in good faith, we will:

  • Treat your report as authorized security research within the scope defined below

  • Not pursue legal action against you for accidental, good-faith violations that do not harm customers or disrupt operations

  • Work with you to understand and resolve the issue

This safe harbor does not apply to:

  • Data theft, extortion, ransomware, or intentional disruption

  • Testing that violates laws or regulations

  • Social engineering, credential stuffing, or unauthorized access attempts are outside the scope

What we promise in return

  • We’ll acknowledge your report as soon as possible.

  • We’ll provide a status update and an initial triage decision.

  • We’ll keep you reasonably informed as the issue moves through remediation.

  • We’ll credit you (if you want) once it’s resolved, via a Hall of Fame entry or a public thank-you.

Response timeframes

We triage based on severity and exploitability:

  • Critical: acknowledge + begin triage ASAP with target remediation plan within 48 hours

  • High: target triage within 3 business days

  • Medium/Low: target triage within 7 business days

Fix timelines vary by complexity and risk, but we aim to remediate most valid issues within 30 days. Some fixes (especially infrastructure or dependency updates) may require longer; if so, we’ll tell you why and provide a revised timeline.

Rewards

We are a small team. We cannot guarantee cash payouts. That said, we still want to reward useful work.

For valid, in-scope vulnerabilities, rewards may include:

  • Service credit/account credit

  • Swag

  • Public recognition (Hall of Fame)

Rewards are discretionary and based on:

  • Severity and real-world impact

  • Quality of report (clarity, reproducibility, PoC)

  • Novelty (not previously known or already being addressed)

  • Safety of testing (no customer impact, no disruption)

Scope

In scope

  • *.rackgenius.com

  • Customer portals, billing portals, and internal tooling owned and operated by us

  • APIs operated by us (including authentication mechanisms and authorization controls)

  • Infrastructure management systems only when explicitly accessible as part of our platform

  • Public-facing services we operate under our domains

Out of scope

  • Customer-owned applications, websites, and content hosted on our platform

  • Third-party services/tools we don’t control (even if integrated)

  • Physical attacks or onsite attempts against our facilities, staff, or vendors

  • Social engineering of employees, contractors, or data center staff

  • DoS / DDoS / stress testing / volumetric scanning that impacts service

  • Vulnerabilities in systems not listed as "in scope"

  • Anything requiring you to access data that isn’t yours

If you aren’t sure whether something is in scope, report it anyway, but clearly label the target and how you discovered it.

What we do not accept

The following types of reports will not be accepted. This list is sourced from existing bug bounty programs and reflects common low-signal submissions we receive:

  • Clickjacking on pages with no sensitive actions

  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

  • Attacks requiring MITM or physical access to a user's device

  • Previously known vulnerable libraries without a working Proof of Concept

  • Comma-Separated Values (CSV) injection without demonstrating a vulnerability

  • Missing best practices in SSL/TLS configuration

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

  • Rate limiting or brute-force issues on non-authentication endpoints

  • Missing best practices in Content Security Policy

  • Missing HttpOnly or Secure flags on cookies

  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

  • Vulnerabilities only affecting users of outdated or unpatched browsers (More than 2 stable versions behind the latest released stable version)

  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)

  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis

  • Tabnabbing

  • Open redirect — unless an additional security impact can be demonstrated

  • Issues that require unlikely user interaction

In addition, we also do not accept:

  • UI/UX bugs, visual issues, or "this looks wrong" reports

  • Spelling/grammar mistakes, broken links, minor formatting issues

  • Misconfigured DNS records (unless you can demonstrate a real security impact like takeover)

  • Missing security headers that don’t enable an exploit path

  • “Best practice” recommendations without a concrete attack scenario

  • Reports that are purely automated scanner output with no validation or impact

  • Reports that require credentials you do not own or permission you do not have

Coordinated disclosure guidelines

We support coordinated disclosure. If you want to publish a write-up:

  • Wait until we confirm a fix is deployed (or agree on a date)

  • Don’t publish exploit code that meaningfully increases risk for customers

  • If you want credit, tell us the name/handle you want listed

Duplicate reports & eligibility

  • First report of a unique vulnerability (root cause) is eligible.

  • If the issue is already known, already being fixed, or previously reported, we may still thank you, but it likely won’t qualify for rewards.

Legal and privacy notes

Participation in this program does not grant permission to:

  • Access or attempt to access accounts that are not yours

  • Access or extract customer data

  • Attempt persistence or lateral movement

  • Perform disruptive testing

We reserve the right to request you stop testing immediately if we believe there is a risk to customers or platform stability.

Report now

Send your report to: [email protected]
Include “Responsible Disclosure” in the subject line.

Thank you for helping keep our systems (and our customers) safer.

Помог ли вам данный ответ? 0 Пользователи нашли это полезным (0 голосов)

Популярное

Privacy Policy

We are committed to protecting our customers privacy in every way we can. This page details...
About “Cracked” Servers

What is a Cracked Server? In reality, Minecraft servers are not “cracked” because it is a...
Service Level Agreement

RackGenius is committed to providing a fast and reliable connection to your server, so we...
Understanding KYC Verification

What is KYC Verification?KYC, or "Know Your Customer," is a standard process used by businesses...
Terms Of Service

Last Updated: December 11, 2024 Snakecraft Hosting LLC (“Snakecraft Hosting”) agrees to furnish...