About

Mission Statement

Security bugs in cloud services tend to fall between the cracks, as they don’t fit well into the current shared responsibility model of cloud security. As a result, remediation of cloud security vulnerabilities often requires a joint effort between both the CSP and their customers.

There is currently no universal standard for cloud computing vulnerability enumeration – CSPs rarely issue CVEs for security mistakes discovered in their services, there are no industry conventions for assessing severity of cloud vulnerabilities, no proper notification channels and no unified tracking mechanism – this leads to a great deal of inefficiency and confusion surrounding cloud vulnerability management.

Our goal in this project is to pave the way for a centralized cloud vulnerability database, by cataloging CSP security mistakes and listing the exact steps CSP customers can take to detect or prevent these issues in their own environments.

We believe this project can prove the utility of a cloud vulnerability database, bring more transparency into these issues, and ultimately make the cloud even more secure.

Criteria

We define the following criteria for inclusion in this database:

1. Publicly known cloud vulnerabilities or security issues in cloud services;
2. With or without an assigned CVE;
3. That had a proven actual or potential impact on cloud customers;
4. And required remediation actions on either side of the shared responsibility model.

Examples include:

• Security issues affecting CSP-managed services
• Default misconfigurations of CSP-managed services
• Vulnerabilities in CSP-provided client software

We consider the following cases to be out of scope of this project:

• Cloud vulnerabilities or security issues about which there is no publicly available information
• CSP customer security incidents
• WAF bypass vulnerabilities

History

This project was built on the foundations of Scott Piper’s “Cloud Service Provider security mistakes”, and as of June 28th, 2022, all content included here originally appeared in that repository.

Next Steps

Besides continuing to document newly discovered cloud vulnerabilities and security issues, we would also like to achieve the following:

1. Reach consensus on definitions for severity (e.g., what makes a cloud vulnerability critical?).
2. Differentiate between closed vs. ongoing security issues, and bring more attention to ongoing issues.
3. Calculate exploitability periods for each issue.
4. List detection methods for every issue, where possible.

Project Maintainers

• Scott Piper
• Amitai Cohen
• Alon Schindel

Related Efforts

• CSA Global Security Database
• Cloud Security Notification Framework

Contact Us

• Follow us on Twitter, LinkedIn and Mastodon
• Email us
• Add requests for bugfixes or new features

Sponsorship

This site is kindly sponsored by Wiz. Its content is contributed by the cloud security community and for the cloud security community.