APNIC Vulnerability Reporting Program

As the Regional Internet Registry (RIR) for the Asia Pacific region, APNIC is committed to its vision of a global, open, stable, and secure Internet. APNIC strives to support the security of its Members, but to do this APNIC must ensure it maintains strong security on its own network infrastructure.

Bug reporting

We value the hard work of the security research community, and welcome responsible disclosure of any vulnerabilities in our products and services.

If you identify a vulnerability that is in scope (see below), please notify us right away at csirt@apnic.net and optionally encrypt your message using our GPG key. For any issues not related to vulnerability reporting, please use helpdesk@apnic.net . We aim to reply to all reports within 7 days, and to resolve reported P1-P4 vulnerabilities within 90 days (for priority ratings, we use Bugcrowd’s Vulnerability Rating Taxonomy).

We appreciate your cooperation in avoiding privacy violations, damaging data, or causing interruption to any of our services while you perform your research.

In scope

  • *.apnic.net
  • *.apnic.foundation
  • *.isif.asia
  • *.seedalliance.net
  • *.apidt.org

Out of scope

  • Third party sites such as Lets Encrypt, Okta, Cloudflare, Zoom, or similar
    • If you inadvertently find an issue with these sites while testing APNIC, we’d like to hear about it. However, we cannot provide permission to test these third parties.
  • Destruction of data
  • DoS/DDoS
  • Social engineering
  • Physical security controls
  • Directory listing on the following: (working as intended)
    • ftp.apnic.net
    • rpki.apnic.net
  • DMARC policy set to “none” (working as intended)

Report details

Email your reports to csirt@apnic.net. We would appreciate it if your report included the following information:

  • Your contact information, so we can follow up with questions
  • A description of the issue and its nature
  • Detailed steps that allow us to reproduce the issue
  • A brief description of the security impact of the issue

As a not-for-profit, we can’t pay out financial bounties, but we really appreciate your help in safeguarding our systems. If we confirm your finding as a vulnerability, we can recognize your contribution in the ‘Thank You’ section below. Please let us know if you’d like to be publicly thanked.

We also welcome reports of simple bugs with no security impact, and will do our best to address them as soon as practical.

Safe Harbour

When conducting vulnerability research that is:

  • In scope as stipulated in the above; and
  • Subject to a report with the required information being submitted to us in a timely manner,

We will consider this research conducted to be:

  • Authorized in view of any applicable anti-hacking and cybersecurity laws and regulations, and we will not initiate or support legal action against you for accidental, good faith violations of this program;
  • Authorized in view of relevant anti-circumvention and copyright laws, and we will not bring a claim against you for circumvention of access control technological protection measures; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If legal action is initiated by a third party against you and you have complied with this program, we will take steps to make it known that your actions were conducted in compliance with this program.

If, at any time, you have concerns or are uncertain whether your security research is consistent with this program, please email your query to csirt@apnic.net before going any further.

Thank you

APNIC would like to thank the following security researchers for making a responsible disclosure to us.