Responsible Disclosure
Last updated 01/01/2026
Cloudsonic Hosting (“Cloudsonic”, “we”, “us”, “our”), a brand operated by Brisbane Agency (ABN: 20 039 689 628), takes the security of our systems and our customers’ data seriously. We welcome reports from security researchers and members of the public who discover potential vulnerabilities in our infrastructure, websites, or services.
This Responsible Disclosure Policy explains how to report security vulnerabilities to us and what you can expect from us in return.
1. Scope
This policy applies to security vulnerabilities discovered in:
- Our websites: cloudsonic.com.au, cloudsonic.eu, cloudsonic.us, and associated subdomains
- Our customer control panel and account management systems
- Our hosting infrastructure, to the extent it affects Cloudsonic’s own systems
This policy does not cover vulnerabilities in customer-hosted websites or applications. If you have discovered a vulnerability in a third-party website hosted on our infrastructure, please contact the website owner directly.
2. How to Report
Please report suspected vulnerabilities via our contact page. To help us triage your report efficiently, please include:
- A clear description of the vulnerability and the potential impact
- The affected system, URL, or component
- Step-by-step instructions to reproduce the issue
- Any supporting evidence such as screenshots, proof-of-concept code, or request/response logs
- Your contact details so we can follow up with you
Please submit reports in English where possible.
3. What We Ask of You
When conducting security research and reporting vulnerabilities, we ask that you:
- Act in good faith and with the intent to improve security, not to cause harm
- Do not access, modify, delete, or exfiltrate data belonging to Cloudsonic or our customers beyond what is necessary to demonstrate the vulnerability
- Do not perform testing that disrupts or degrades our Services or affects other customers
- Do not exploit a vulnerability beyond a minimal proof of concept
- Do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and remediate it (see coordinated disclosure below)
- Do not use automated scanning tools against our infrastructure without prior written approval
- Comply with all applicable laws when conducting your research
4. What You Can Expect from Us
If you report a vulnerability in good faith and in accordance with this policy, we commit to:
- Acknowledging receipt of your report within 5 business days
- Keeping you informed of our progress as we investigate and remediate the issue
- Treating your report confidentially and not sharing your personal details without your consent, except where required by law
- Not pursuing legal action against you in connection with your research, provided you have complied with this policy
We do not currently operate a bug bounty programme and are unable to offer monetary rewards for vulnerability reports. We are happy to acknowledge your contribution publicly if you would like, subject to your consent.
5. Coordinated Disclosure
We ask that you give us a reasonable period to investigate and remediate a reported vulnerability before disclosing it publicly. We consider 90 days from the date of acknowledgment to be a reasonable timeframe in most cases. If you believe an issue requires more urgent disclosure, please discuss this with us directly.
We will aim to keep you updated throughout the remediation process and will work with you to agree on an appropriate disclosure timeline.
6. Out of Scope
The following are outside the scope of this policy and should not be tested:
- Social engineering attacks against Cloudsonic staff or customers
- Physical security testing
- Denial-of-service or volumetric attacks of any kind
- Spam or phishing campaigns
- Vulnerabilities in third-party software or services that we do not control, unless they directly impact our systems
- Issues that require unlikely user interaction or have negligible security impact
7. Legal
This policy does not grant you permission to act in a manner that is unlawful under Australian, EU, US, or other applicable law. Security research conducted in accordance with this policy and in good faith is not considered by us to be a violation of our Terms of Service or Acceptable Use Policy. However, we cannot provide assurances regarding the position of third parties or law enforcement agencies.