Reporting suspected vulnerabilities

If you would like to report a vulnerability or have a security concern regarding deepc cloud services or open source projects, please submit the information by contacting If you wish to protect the contents of your submission, you may use our GPG key.

Click to expand GPG key

Validation of vulnerabilities by deepc

Once the report has been submitted, deepc will work to validate the reported vulnerability. If additional information is required to validate or reproduce the issue, deepc will work with you to obtain it. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and discussion of public disclosure.

deepc is committed to being responsive and keeping you informed of our progress as we investigate and / or mitigate your reported security concern. You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability. We strive to provide  progress updates at least every five working days to you.

A few things to note about the deepc process:

  • Third-party products: Many vendors offer products within the deepc cloud. If the vulnerability is found to affect a third-party product, deepc will notify the owner of the affected technology. deepc will continue to coordinate between you and the third party. Your identity will not be disclosed to the third party without your permission.
  • Confirmation of Non-Vulnerabilities: If the issue cannot be validated, or is not found to originate in an deepc product, this will be shared with you.
  • Vulnerability classification: deepc uses version 3.1 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and to prioritize our response. For more information on CVSS, please reference the NVD site.

Coordinated vulnerability disclosure

If applicable, deepc will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.

In order to protect our customers, deepc requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability, and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time, and the timeline will depend upon the severity of the vulnerability and the affected systems.