|
Hello,
I'm writing on behalf of my company with the request to be added to the pre-disclosure list. I've filled in the information on the security policy page here below.
The name of your organization:
CloudVPS B.V.
Oostmaaslaan 71
15th floor
3063 AN Rotterdam
Netherlands
Domain name(s) which you use to provide Xen software/services
http://www.cloudvps.com/ - http://www.cloudvps.nl/
Pre-disclosure E-mail Alias: securityteam@xxxxxxxxxxxx
A brief description of why you fit the criteria
CloudVPS is a large Dutch infrastructure as a service provider. We provide Xen PV, Hyper-V and KVM (OpenStack) servers and a range of related services like consultancy, custom solutions, certificates, high-availability and such.
We have a little over 10 000 xen PV servers and run a mix of CentOS and Ubuntu hypervisor servers underneath with Xen. We do not provide HVM, just PV. This is, as far as I know, the first time public numbers are mentioned about our xen vm count. On the
page a count of 300,000 guests is mentioned, but we hope our count is enough as well.
By receiving early notice of vulnerabilities we are able to plan time and people. This allows us to better prepare for a disclosure.
The servers are provided to our clients generally unmanaged. Clients mostly run web servers like apache.
If not all of your products/services use Xen, a list of (some of) your products/services (or categories thereof) which do.
Link(s) to current public web pages, belonging to your organisation, for each of following pieces of information:
Evidence of your status as a service/software provider:
If you are a public hosting provider, your public rates or how to get a quote
Our XEN prices are here: http://www.cloudvps.com/virtual-private-server/prices
Evidence of your status as a user/distributor of Xen:
Statements about, or descriptions of, your eligible production services or released software, from which it is immediately evident that they use Xen.
The page where it is most prominently listed: http://www.cloudvps.com/virtual-private-server
There are a few articles and posts on our site which mention that we use XEN, but it's not all over the place:
- http://www.cloudvps.com/community/faq/about-cloudvps/what-virtualisation-techniques-do-you-use-and-why
- http://www.cloudvps.com/community/openstack-faq/openstack-general/can-i-link-a-vpc-from-the-xen-hyperv-platform-with-an-openstack-private-net
- http://www.cloudvps.com/blog/xen-vulnerability-doesnt-impact-cloudvps/
- http://www.cloudvps.com/blog/emergency-maintenance-tonight-xen-upgrade-on-tuesday-june-12th-2012-startin/
- http://www.cloudvps.com/community/knowledge-base/webbased-console/
Information about your handling of security problems:
Your invitation to members of the public, who discover security problems with your products/services, to report them in confidence to you;
Specifically, the contact information (email addresses or other contact instructions) which such a member of the public should use.
There is no specific responsible disclosure page, but our contact data is listed here, including email and telephone:
http://www.cloudvps.com/contact
In the past issues have been reported either via our support desk or directly via the telephone. Emails go to support@xxxxxxxxxxxx.
After a customer has ordered a VPS a specific email with data like IP and such is sent, which also contains information on how to contact us.
Our SLA page, section 6.1 ACCESS TO SUPPORT has this information as well: http://www.cloudvps.com/service-level-agreement
We handle emails and tickets to our support as described in our terms, http://www.cloudvps.com/general-terms-and-conditions, which is a PDF. Response time is, on business days within 4 hours if something is submitted before noon, otherwise next
business day. For urgent matters we have 24/7 support with an engineer available (http://www.cloudvps.com/contact/storingsnummer)
A statement to the effect that you have read this policy and agree to abide by the terms for inclusion in the list, specifically the requirements to regarding confidentiality during an embargo period:
I, as well as our security team (the cert), have read the Xen Security Policy, Handling of embargoed information and we agree to abide by the terms and requirements for inclusion on the pre-disclosure list.
The single (non-personal) email alias you wish added to the predisclosure list.
securityteam@xxxxxxxxxxxx
Sincerely,
Remy van Elst
System Administrator
CloudVPS
|
