Cloudsmith

The Cloudsmith Developer Hub

Welcome to the Cloudsmith developer hub. You'll find comprehensive guides and documentation to help you start working with Cloudsmith as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Hall of Fame

The security hall of fame represents a list of security researchers who have provided qualifying exploit information for actual/tangible security risks against the Cloudsmith service itself (i.e. not third party services). Each entry represents a separate report for a particular exploit that was reported along with its final status, ordered by the date the exploit was reported in reverse chronological order. A description of the fields is provided below the table.

Cloudsmith thanks the following security researchers:

Date
Reporter
Severity
Classification
Status

2018-07-26

HIGH

Subdomain Takeover

Fixed (2018-07-30)

2017-08-08

MEDIUM

Brute Force / Flood Attack

Fixed (2017-08-19)

2017-05-31

MEDIUM

Hyperlink Injection

Fixed (2017-08-11)

2017-06-07

MEDIUM

Tab URI Hijack

Fixed (2017-08-11)

2017-05-20

HIGH

Cross-Site Scripting (XSS)

Fixed (2017-05-23)

2017-05-17

MEDIUM

Information Disclosure

Fixed (2017-05-17)

2017-05-16

LOW

Brute Force Attack

Fixed (2017-05-16)

2017-05-10

MEDIUM

Hyperlink Injection

Fixed (2017-05-16)

2017-03-21

LOW

Cross-Site Scripting (XSS)

Fixed (2017-03-29)

2017-02-26

MEDIUM

Brute Force Attack

Fixed (2017-03-29)

2017-02-26

MEDIUM

Brute Force Attack

Fixed (2017-03-29)

2017-02-02

MEDIUM

Decompression Bomb

Fixed (2017-02-06)

2017-02-02

MEDIUM

Open Redirect

Fixed (2017-02-06)

2017-01-07

LOW

Subdomain Takeover

Fixed (2017-01-12)

2016-12-28

LOW

Subdomain Takeover

No Fix Needed (2016-12-28)

2016-12-15

LOW

Cross-Site Scripting (XSS)

No Fix Needed (2016-12-28)

2016-12-10

MEDIUM

Cross-Site Scripting (XSS)

Fixed (2017-02-06)

Date:

This is the date that the exploit was reported to Cloudsmith.

Reporter:

This is attribution to the security researcher that reported the exploit, along with a link to the profile location of their choosing. If the researcher wishes to remain anonymous or would prefer to use a pseudonym instead of a real name, then this will be marked as such.

Severity:

The severity for an exploit (if disclosed) will be determined based on a combination of impact (the damage that it can cause if exploited) and the likelihood that it will be exploited (how easy is it to actually perform the exploit). We will follow the OWASP Risk Rating Methodology when determining this and will assign a LOW, MEDIUM or HIGH severity rating.

Classification:

The classification for an exploit will follow the general categories for qualifying information as outlined in the Security Policy. If the category doesn't fit but is still determined to be qualifying information then we will either add an additional category or use a catch-all "Other" classification. Prior to full disclosure valid reports will be reported as "Not Disclosed Yet".

Status:

This is the status of the exploit. If the exploit was fixed then this will be "Fixed" along with the date that the exploit was negated. If the fix was determined as "No Fix Needed" but the exploit was still acknowledged in this table (most likely because the exploit either didn't pose a viable security risk or was extremely difficult to implement, or was prior to the security policy explicitly excluding an element related to the exploit) then this will be marked as such.

Hall of Fame