We value the hard work of the security research community, and welcome responsible disclosure of any vulnerabilities in our products and services.
If you identify a vulnerability that is in scope (see below), please notify us right away at email@example.com and optionally encrypt your message using our GPG key. For any issues not related to vulnerability reporting, please use firstname.lastname@example.org . We aim to reply to all reports within 7 days, and to resolve reported P1-P4 vulnerabilities within 90 days (for priority ratings, we use Bugcrowd’s Vulnerability Rating Taxonomy).
We appreciate your cooperation in avoiding privacy violations, damaging data, or causing interruption to any of our services while you perform your research.
Out of scope
- Third party sites such as Lets Encrypt, Okta, Cloudflare, Zoom, or similar
- If you inadvertently find an issue with these sites while testing APNIC, we’d like to hear about it. However, we cannot provide permission to test these third parties.
- Destruction of data
- Social engineering
- Physical security controls
Email your reports to email@example.com. We would appreciate it if your report included the following information:
- Your contact information, so we can follow up with questions
- A description of the issue and its nature
- Detailed steps that allow us to reproduce the issue
- A brief description of the security impact of the issue
As a not-for-profit, we can’t pay out major bounties, but we really appreciate your help in safeguarding our systems. If we confirm your finding as a vulnerability, we can recognize your contribution in the ‘Thank You’ section below. Please let us know if you’d like to be publicly thanked.
We also welcome reports of simple bugs with no security impact, and will do our best to address them as soon as practical.
When conducting vulnerability research that is:
- In scope as stipulated in the above; and
- Subject to a report with the required information being submitted to us in a timely manner,
We will consider this research conducted to be:
- Authorized in view of any applicable anti-hacking and cybersecurity laws and regulations, and we will not initiate or support legal action against you for accidental, good faith violations of this program;
- Authorized in view of relevant anti-circumvention and copyright laws, and we will not bring a claim against you for circumvention of access control technological protection measures; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If legal action is initiated by a third party against you and you have complied with this program, we will take steps to make it known that your actions were conducted in compliance with this program.
If, at any time, you have concerns or are uncertain whether your security research is consistent with this program, please email your query to firstname.lastname@example.org before going any further.