Security Advisories

Date	Advisory	Severity	Status	Reference
2025-06-12	API Gateway Authentication Bypass Improper validation in edge proxy allowed unauthorized route enumeration under specific header configurations.	Critical	Resolved	CVE-2025-3821
2025-05-28	Kubernetes Control Plane RBAC Escalation Legacy service account tokens retained elevated permissions after cluster version upgrade.	High	Resolved	CVE-2025-3790
2025-04-15	CDN Cache Poisoning via Host Header Missing Host header normalization allowed limited cache storage attacks on custom domains.	Medium	Resolved	CVE-2025-3642
2025-07-03	Object Storage ACL Misconfiguration Public read policy inheritance could expose bucket contents when versioning is enabled. Patch rolling out.	High	Acknowledged	CVE-2025-4102
2025-03-09	Dashboard XSS via Export Filename Reflected XSS possible in analytics CSV download when unvalidated user input is passed to filename parameter.	Low	Resolved	CVE-2025-2988

Date

Advisory

Severity

Status

Reference

2025-06-12

API Gateway Authentication Bypass

Improper validation in edge proxy allowed unauthorized route enumeration under specific header configurations.

Critical

Resolved

CVE-2025-3821

2025-05-28

Kubernetes Control Plane RBAC Escalation

Legacy service account tokens retained elevated permissions after cluster version upgrade.

High

Resolved

CVE-2025-3790

2025-04-15

CDN Cache Poisoning via Host Header

Missing Host header normalization allowed limited cache storage attacks on custom domains.

Medium

Resolved

CVE-2025-3642

2025-07-03

Object Storage ACL Misconfiguration

Public read policy inheritance could expose bucket contents when versioning is enabled. Patch rolling out.

High

Acknowledged

CVE-2025-4102

2025-03-09

Dashboard XSS via Export Filename

Reflected XSS possible in analytics CSV download when unvalidated user input is passed to filename parameter.

Low

Resolved

CVE-2025-2988

How to Report a Vulnerability

We welcome reports from security researchers and customers. We follow a coordinated disclosure process and reward valid findings through our Bug Bounty Program.

🔍 Reporting Process

1. Submit findings via our encrypted security portal or email.

2. Our SOC team acknowledges receipt within 24 hours.

3. We investigate, reproduce, and develop a fix.

4. Coordinated disclosure occurs within 30–90 days depending on severity.

🚫 Out of Scope

Denial of Service (DoS/DDoS) attacks
Social engineering or phishing attempts
Automated scanning without prior authorization
Third-party services or subdomains
Issues in deprecated/unsupported regions

security@cloudnexus.io PGP Key ID: 8F3A 9C21 D47E B105

Security & Compliance

CloudNexus infrastructure is continuously audited and certified against industry-leading security frameworks.

🔐

SOC 2 Type II

Annual audit of security, availability, and confidentiality controls.

🌍

ISO 27001

Internationally recognized information security management system.

🇪🇺

GDPR & CCPA

Full data privacy compliance with regional data residency options.

🏥

HIPAA Ready

Configurable environments meeting healthcare data handling requirements.