APNIC Vulnerability Reporting Program

As the Regional Internet Registry (RIR) for the Asia Pacific region, APNIC is committed to its vision of a global, open, stable, and secure Internet. APNIC strives to support the security of its Members, but to do this APNIC must ensure it maintains strong security on its own products, services and infrastructure.

Bug reporting

We value the hard work of the security research community, and welcome responsible disclosure of any vulnerabilities in our products and services.

If you identify a vulnerability that is in scope, please notify us right away using the submission form below. For any issues not related to vulnerability reporting, please use helpdesk@apnic.net. We aim to reply to all reports within 7 days, and to resolve reported vulnerabilities that are a medium severity and higher within 90 days.

We appreciate your cooperation in avoiding privacy violations, damaging data, or causing interruption to any of our services while you perform your research.

In scope

  • *.apnic.net
  • *.apnic.foundation
  • *.isif.asia
  • *.seedalliance.net
  • *.apidt.org
  • submission.apnic.net
    • Use the Test Only event, do not use any public events/conferences
  • orbit.apnic.net
    • Use the testing mailing list, do not use any public mailing lists 

Out of scope

  • help.apnic.net, info.apnic.net, login.apnic.net, and upload.apnic.net
  • FTP, HTTP, or rsync directory listing on the following: (working as intended)
    • ftp.apnic.net
    • rpki.apnic.net
    • rsync.apnic.net
    • aso.apnic.net
    • nori.apnic.net
  • Information disclosure and reflected XSS vulnerabilities for *.rand.apnic.net and *.labs.apnic.net
  • DMARC policy set to “none” (working as intended)
  • Rate limiting or brute force issues on non-authenticated endpoints
  • Missing HttpOnly or Secure flags on cookies that don’t relate to user authentication/credentials
  • Testing on real conferences/events on submission.apnic.net – please use the Test Only event
  • Testing on real/public mailing lists – please use the testing list
  • Third party sites such as Lets Encrypt, Okta, Cloudflare, Zoom, or similar
    • If you inadvertently find an issue with these sites while testing APNIC, we’d like to hear about it. However, we cannot provide permission to test these third parties.
  • Destruction of data
  • DoS/DDoS
  • Social engineering
  • Physical security controls

Safe harbour

When conducting vulnerability research that is:

  • In scope as stipulated in the above; and
  • Subject to a report with the required information being submitted to us in a timely manner,

We will consider this research conducted to be:

  • Authorized in view of any applicable anti-hacking and cybersecurity laws and regulations, and we will not initiate or support legal action against you for accidental, good faith violations of this program;
  • Authorized in view of relevant anti-circumvention and copyright laws, and we will not bring a claim against you for circumvention of access control technological protection measures; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If legal action is initiated by a third party against you and you have complied with this program, we will take steps to make it known that your actions were conducted in compliance with this program.

If, at any time, you have concerns or are uncertain whether your security research is consistent with this program, please email your query to csirt@apnic.net before going any further.

Thank you

As a not-for-profit, it is difficult for us to pay out financial bounties, but we really appreciate your help in safeguarding our systems. If we confirm your finding as a new vulnerability, we can recognize your contribution in the section below. Please let us know if you’d like to be publicly thanked.

APNIC would like to thank the following security researchers for making a responsible disclosure to us.