Disclosure Policy


Druva is committed to keeping our systems, data and product(s) secure. Despite the measures we take, security vulnerabilities will always be possible.

If you believe you’ve found a security vulnerability, please send it to us by emailing security@druva.com. Please include the following details with your report:

  • Your name and contact info.
  • Your PGP or GPG public key to allow for encrypted communication (if available)
  • Description of the location and potential impact of the vulnerability
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
  • Please make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of services and/or data.
  • Please encrypt findings emailed to Druva using the PGP key available here.

We will respond to your report within 5 business days of receipt and will attempt to keep you regularly informed of our progress toward resolving the vulnerability. If you have followed the above instructions, we will not take any legal action against you regarding the report.

Terms and Conditions

To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you:

  • Use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.
  • Do not test for spam, social engineering or denial of service issues.
  • Your testing must not violate any law, or disrupt or compromise any data that is not your own. 
  • Do not violate any other relevant agreements.
Domains in Scope

Druva’s domains and their respective subdomains, in scope for this policy are listed below, including client applications and virtual appliances Druva provides for services provided on these domains: 

  • druva.com
  • cloudranger.com