How we handle CVEs.

Vulnerabilities, advisories, and incidents — handled publicly, on the record, and on the same page as our customers. A hosting provider you can't reach during a security incident isn't a hosting provider, it's a billing service. We won't be that.

Last advisory · 2026-05-01 · CVE-2026-31431 (Copy Fail)

What we commit to, in writing

For every customer running on PrivateByte infrastructure — including Self-Managed VPS — these are the commitments we hold ourselves to when a CVE drops affecting your stack.

01
Notification
CVE notification
From CVE disclosure to email + portal banner + Telegram channel post. Critical-severity advisories go out faster.
≤24h
Inbox · Portal · Telegram
02
Patch
Critical patch deploy
For software we operate — host OS, networking, our portal. Customer-managed software stays your responsibility, but we'll always tell you when there's a CVE.
≤48h
Operated stack
03
Log
Public advisory log
Every notification we send to customers also lives here, on this page, indefinitely. Including upstream CVEs we're tracking even when we're unaffected.
Live
Forever, no rotation
04
Disclosure
Disclosure response
If you've found a vulnerability in PrivateByte itself, you get a human reply within a business day. No bug-bounty platform middleware.
≤24h
Direct, human reply

How to subscribe

Security notifications go to every active customer on the affected channel(s). They are separate from marketing email and cannot be opted out of without closing your account — your server being exploitable is not a "promotional" matter.

Email
Account email
Tagged [Security] in subject for filtering.
your@email
Portal
In-app banner
Persistent banner across the portal when your account is affected.
my.privatebyte.com
Telegram
Public channel
Advisories pinned to the channel. No marketing.
@privatebyte
RSS
Machine-readable feed
For dashboards and automation.
/security/feed.xml

Public advisory log

Every advisory we've sent customers, plus upstream CVEs we're tracking even when our infrastructure is unaffected.

2026 · 05 · 01 Mitigated
CVE-2026-31431 — “Copy Fail” local privilege escalation
A Linux kernel bug in a userspace crypto interface lets an unprivileged local user escalate to root. We acted inside our 24h notification SLA. Hypervisor hosts (where customer VMs run): module-load blacklist applied — the vulnerable code path is now blocked, zero downtime, no customer impact. Portal hosts (where the customer panel runs): on these systems the affected component is compiled into the kernel rather than loadable as a module, so the modprobe-based interim fix doesn't apply; only authorized administrators have shell access there, which contains the local-PrivEsc threat surface. Awaiting the upstream patched kernel — will reboot during an announced maintenance window once it ships, inside our 48h critical-patch SLA. Customer VPS guests run their own kernels — if you're on a recent Linux, please update and reboot once your distro ships a patched kernel.
2026 · 04 · 29 Unaffected
CVE-2026-41940 — cPanel auth bypass
We don't run cPanel for the customer portal, so nothing of ours is exposed. If you're running cPanel yourself on a VPS with us, patch via cPanel's release channel and we're happy to help if you need a hand.
2026 · 04 · 22 Patched
Portal account-id confusion
An identifier-mapping bug in our billing backend meant ~17% of accounts could briefly see another customer's services on the portal during a session. Caught and patched the same day. ICO Article 33 filed within the statutory window. Regression test pinned in CI. Full write-up available on request.

Reporting a security issue

Found a vulnerability in PrivateByte's infrastructure, services, or portal? Email us. We acknowledge within 24 hours and aim to triage within 72.

Responsible disclosure

Direct line. No middleware.

[email protected]

PGP key on request. No paid bug bounty yet, but legitimate findings get written acknowledgement, public credit (with your permission), and where the impact warrants it, a meaningful gift or account credit.

Please give us reasonable time to fix before public disclosure

How we operate

The security-relevant operational principles we hold ourselves to. Implementation specifics are deliberately not enumerated here — that would only be useful to attackers — but the commitments below are real and binding.

Host patching
Critical CVEs deployed within our published 48-hour SLA. Routine patches on a weekly cadence. Maintenance windows announced in advance.
Customer portal
Custom-built — we don't run cPanel/WHM customer-side, so cPanel CVEs don't reach our customer panel. Codebase actively maintained, CI-gated tests, regression tests pinned for past incidents.
DDoS protection
Always-on. Free with every plan. Edge WAF + datacenter-tier scrubbing upstream.
Network
Firewall rules audited monthly. Admin access is key-based only, no password fallback. Outbound abuse monitoring with automated rate limits.
Customer data at rest
Encrypted at rest where infrastructure permits. Daily backups with append-only retention and immutable copies on isolated infrastructure, following industry 3-2-1 principles.
Crypto payment vault
Customer deposit-address keys are derived on-demand from a master vault, encrypted at rest. Decryption keys are held offline in multiple geographically-distributed cold storage locations.
Incident transparency
We file ICO Article 33 reports for any incident affecting UK customer personal data, regardless of severity threshold. Public write-ups available on request.
Operating team
Small. Every CVE personally reviewed by a member of the engineering team. We answer security email; we don't queue you behind a chat-bot.

Why we publish this

Most hosting providers commit to nothing about CVE response in writing. Their marketing pages promise "managed" security; their legal agreements disclaim liability for the third-party software they're managing. When something critical lands, customers find out on a third-party security blog — not from their vendor.

We are, deliberately, the opposite. The commitments above are real, and customers can hold us to them. If we ever miss the SLAs on this page for a critical CVE affecting our stack, we'll publicly post that we missed and what we're doing about it — on this same page, in the advisory log. The transparency is the product.

Hosting that doesn't go quiet
during a security incident

Servers from $5.99/mo. 1 Gbps unmetered. Free DDoS protection. And a security page you can actually hold us to.

Deploy a server Back to PrivateByte