Security bugs in cloud services tend to fall between the cracks, as they don’t fit well into the current shared responsibility model of cloud security. As a result, remediation of cloud security vulnerabilities often requires a joint effort between both the CSP and their customers.
There is currently no universal standard for cloud computing vulnerability enumeration – CSPs rarely issue CVEs for security mistakes discovered in their services, there are no industry conventions for assessing severity of cloud vulnerabilities, no proper notification channels and no unified tracking mechanism – this leads to a great deal of inefficiency and confusion surrounding cloud vulnerability management.
Our goal in this project is to pave the way for a centralized cloud vulnerability database, by cataloging CSP security mistakes and listing the exact steps CSP customers can take to detect or prevent these issues in their own environments.
We believe this project can prove the utility of a cloud vulnerability database, bring more transparency into these issues, and ultimately make the cloud even more secure.
We define the following criteria for inclusion in this database:
We consider the following cases to be out of scope of this project:
This project was built on the foundations of Scott Piper’s “Cloud Service Provider security mistakes”, and as of June 28th, 2022, all content included here originally appeared in that repository.
Besides continuing to document newly discovered cloud vulnerabilities and security issues, we would also like to achieve the following:
This site is kindly sponsored by Wiz. Its content is contributed by the cloud security community and for the cloud security community.