An open project to list all publicly known cloud vulnerabilities and CSP security issues
Changes and additions to this GitHub repository are automatically reflected at cloudvulndb.org.
Security bugs in Cloud services tend to fall between the cracks, as they don’t fit well into the current shared responsibility model of cloud security. As a result, remediation often requires a joint effort between both the CSP and their customers.
There is currently no universal standard for cloud vulnerability enumeration – CSPs rarely issue CVEs for security mistakes discovered in their services, there are no industry conventions for assessing severity, no proper notification channels and no unified tracking mechanism – this leads to a great deal of inefficiency and confusion.
Our goal in this project is to pave the way for a centralized cloud vulnerability database, by cataloging CSP security mistakes and listing the exact steps CSP customers can take to detect or prevent these issues in their own environments.
We believe this project can prove the utility of a cloud vulnerability database (VDB), bring more transparency into these issues, and ultimately make the cloud even more secure.
This project was built on the foundations of Scott Piper’s “Cloud Service Provider security mistakes”, and as of June 28th, 2022, all content included here originally appeared in that repository.
To contribute a new issue or suggest an edit to an existing one, please add a commit and our maintainers will review it for merging within a few days (but usually sooner). The changes will then automatically be reflected at cloudvulndb.org.
Please make sure that your contributions match our criteria for inclusion, and follow these guidelines:
- Use the CVDB YAML format.
- Include public references (as URLs).
- Provide a clear and detailed description of the issue.
- Give the issue a descriptive and non-generic title.
- Assign the issue an estimated severity and/or rate it using the Piercing Index.
- Give proper credit to the researchers involved in the discovery.
- Use respectful language (avoid disparaging CSPs, vendors or researchers).
- Join our Slack group
- Follow us on Twitter, LinkedIn and Mastodon
- Email us
- Add requests for bugfixes or new features
To learn more about this project and the challenges surrounding cloud vulnerabilities, watch the talk we gave at fwd:cloudsec 2022 (recording, slides).
