Ubicloud is committed to keeping customer data safe and secure. This is a hard problem and we take it seriously.
If you have a security concern or believe you've found a vulnerability in our infrastructure, please send your report to security@ubicloud.com. This will give us a structured way to track and respond to your concerns.
When we receive your report, we will reply within 24 hours and issue you a ticket ID for future tracking.
We will investigate each reported vulnerability according to its severity. We will then patch or remediate each issue within a timeframe that's appropriate to the vulnerability's severity, given that a patch or remediation steps are available.
Severity: Timeframe
Critical: 24 hours
High: 1 week
Medium: 1 month
Others: As necessary
If your vulnerability report includes a severity rating, we'll use that as our starting point. Based on our investigation, we may upgrade or downgrade the severity rating.
We use established best practices to provide cloud security. Those practices and their applications are also publicly available in our GitHub repository. In summary, we take the following steps.
For our managed service, we review and select hosting providers based on their physical and digital security practices.
Elastic Compute: We use Linux KVM for full virtualization. We further use the Cloud Hypervisor as our virtual machine monitor (VMM); and contain each VMM within Linux namespaces for isolation and security.
Virtual Networking: We use IPsec tunneling to establish an encrypted and private network environment; and regularly rotate encryption keys. For security, each customer's VMs operate in their own networking namespace.
Block Storage: We use Storage Performance Development Toolkit (SPDK) to provide virtualized block storage to VMs. We encrypt the data encryption key itself, ensuring that a compromised host isn't enough to decrypt customer data. We also regularly rotate encryption keys.
