Report a bug or vulnerability
Bug Reporting
We value the hard work of the security research community, and welcome responsible disclosure of any vulnerabilities in our products and services.
If you identify a vulnerability that is in scope, please notify us right away using the submission form below. For any issues not related to vulnerability reporting, please use helpdesk@apnic.net. We aim to reply to all reports within 7 days, and to resolve reported vulnerabilities that are a medium severity and higher within 90 days.
We appreciate your cooperation in avoiding privacy violations, damaging data, or causing interruption to any of our services while you perform your research.
In scope
- *.apnic.net
- *.apnic.foundation
- *.isif.asia
- *.seedalliance.net
- *.apidt.org
- submission.apnic.net
- Use the Test Only event, do not use any public events/conferences
- orbit.apnic.net
- Use the testing mailing list, do not use any public mailing lists
Out of scope
- help.apnic.net, info.apnic.net,login.apnic.net, and upload.apnic.net
- FTP, HTTP, or rsync directory listing on the following: (working as intended)
- Information disclosure and reflected XSS vulnerabilities for *.rand.apnic.net and *.labs.apnic.net
- DMARC policy set to “none” (working as intended)
- Rate limiting or brute force issues on non-authenticated endpoints
- Missing HttpOnly or Secure flags on cookies that don’t relate to user authentication/credentials
- Testing on real conferences/events on submission.apnic.net – please use the Test Only event
- Testing on real/public mailing lists – please use the testing list
- Third party sites such as Lets Encrypt, Okta, Cloudflare, Zoom, or similar
- If you inadvertently find an issue with these sites while testing APNIC, we’d like to hear about it. However, we cannot provide permission to test these third parties.
- Destruction of data
- DoS/DDoS
- Social engineering
- Physical security controls
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF6zazkBEACwo2RcNxeHmfoGNCbgNC+GXfHHlNxfEnky947W18JpNXaGFnqp Wf7B3UR1aoKKxMHMbjLjOHvclYbltsA9+gyeNGfaDDhNbNYjeQZxjeLZ6aAv7BV9 ODKaQRkCTA5/3LzTS/Ma35+l0JJV0uSH4Wijbn9tjher0CoFbX5EdlAUIGMbMOLl 8R0LZ5T5EEvIxLn0K1D+EQXNb5IaINAvGBHVyAcyE4AjFV14/zoRfmPqZbA+HDi3 o1gpHx/f+mRENXNBXC+nBESUvgW/G3sdudnXFvPocIjQXjmT/imrYYWU+27emWEP fQmHUUPXyLx8biW39m0dhalpxuxGYk5HKZIrncqmuxBfaHLZedPsvXDzMdsnZiKx Kvl3vmdlYTa3HKn4KcckQ7He7xwgGxNrFvnWBNrNj8e+gBLNOHejGvO3r+S4EI05 GEojeNXTGpzba6jmGrRxXnH3YJnpZWPLcHH5gnIqRwdqCnCXLE9UWp0mOdVHho0W 7wMdHit0WqlH8Y+yCX8XouFFJPaGnPI82rkOcM14RvPd71Z+kTXmZvtnzOa4+k3p WzCnKdKzvK36xlB3F2cUNsKjxrAsLULe3uoaRxhdwIIt0H9xNPBi+jPKwPGCTASY DBcG3JNYjLZwd8stodMCkvyhcfv0m4jEHbrAXYKBdCSk89EPjSAnDnz5aQARAQAB tB1BUE5JQyBDU0lSVCA8Y3NpcnRAYXBuaWMubmV0PokCTgQTAQoAOAIbAwIeAQIX gBYhBJo0h9fOJ689mLAo8R4l5xWQ3UINBQJes2v+BQsJCAcDBRUKCQgLBRYCAwEA AAoJEB4l5xWQ3UINh1IP/j3z276FGMKOJ3/dFzEcIO9Uesajl+Zx3ddTVz0UF+2e 2MrNItmPRp8JY8yTC1nKOSJxMYxbHjDjvuItUNW+VFLyGrYDFhCLI/u+apSbxfgn vpn56AOy0Y6gOma4E0dahvfyNUd1FquhtHLFBK8PnTnywp1FXdSCVURAQ+Q7jDot mrIjgRxG0iOV37zz80aoJlfTiVNgE9IZtESfhnQOT2F88P5nlyVWwKi6gwAGI0GK fiJoLToYpxzXdADAu55VxelzkVra4jxDgBM9Irt5EHsEwfAZbuaac8loBBFiv/e5 iCy4a3gDXR7gQuyAUJ9cgkB2iYnMn/gYycVzwRbtv4KseiB8shdK161AU7+mZIFW UVfkUOUPsFCDE2F3qkuiV4so1ZKkV53myU0aT45/xKW7+DHQ4bpwIRFKN/D2Kg3A 1qCUrSza56Y1fosQ/fK5pkx+iZ283e2OolI/OBTJrKx+XKzwsjTXrwJC0uNWkFXu XV+6bcawIcagX+lnNuBsfDtZZthpmtc4YUpOBE6hO/lW06rwWTHuVqN9IxvAZXjj MMMXKetWrWiMU8EpNqwPNrcGNWd9Fcab0FepG6mqazUSm5+6/VPPw8D0UGF/DlVL pA79dsloGRP26XMOKBEXxKYDRunE6Cjyjac8nMbQSg28jPHcEIPkSR1TJr0Of+47 uQINBF6zazkBEADPDAnX3E1KmCZ1tyVAkBbuotLNTyF/ryux7FvDMKh9uZ1ocJJy wsuXVBB7pDD9nHQrdNVHOcB4mE1oM+QKemWQJSC+I1JPfWQZNVgp23eusqMuX14n 3Jf9CkgOQ6I5av7jtEqmxR3qckcsTgmUSg0fq9i38LtBxtBLQ4TC11QFmG5p0GT/ StxHFMMqIZJaSDSlY2pfZpiXzoBzp/pikravPj/9ekWQSG0gGyY7tlRAkDDeyV5G F4Vkbp8gjYhypGHhyOkTYer4UnU93UWEe2jDiG3G3wPcTJ7/+gGwe9rUQEaAdfvH /vB/hnvqOCXZ5vdU5VSli1pjJd+QvUw0a3YIXfHVjZHs4cc+Fbbi17/SI6zoRCYv wwdOTt6ZoEvaQGtOOcoB/6xs+Z3Z73/O3foOAnWZb82BmZrR/gIAg4EbXP1atL6E QJLj1RGy5eWeV3p/o6usIPfAAxdu26vNn/NXxU4+IrlF3nsXrE16ZEUdsaAoRAdp QxUgEzMk9trlf0OpXZmfTjQsgFvucPK8lP0U4XIIKyuwNMiWSgSwqiJhF4oCRnM+ xUgn1K0W9NF8BVZPHBstD0h7Jft/Ezt6m+WqGs5FTRavqZGvlUciFM1IVZ9pycOn X2mtO6yP/Y3Y6cP7Fou7wFKbiNZs9uKaG8+XNfcKQ2fzUmfxrv6zOts4jwARAQAB iQI2BBgBCgAgFiEEmjSH184nrz2YsCjxHiXnFZDdQg0FAl6zazkCGwwACgkQHiXn FZDdQg1DLQ//TVUCG+HygqYmr3vMF/2mmGR+sgJdGVL3jNQff6VdmnGmSur571qA ecNCKne9Nt/SwyvHTNKwyKmA9DtKoKyvp0UkvhIxykkjuiWJZQYXvhMJajLDtNlE voh8J2wBweAX8DjFtfKMHJoeSj3sdaBlzVEtcAgdl+h5oec1Aq8q0byp2KBO/mHO 5NogoR8S0CbqqHjpNncdI9cwmoDV+WlXS/fO1Oj4OCYDI3jaGbb0tj3g07g2ZhAN pEAiNAkZ1G05+3822kGI2xkXI+66ngqO3mvltcT9qi3xVfj1zqNcQr95GXwbZo1b VhnlVfEn4eiUR+8lD8iz65+nJDzmp/c4I5rF37DPdgu6X56Ri9qfruDdsgJLtIbB UxQXG2fmnNZMEd8vjtdtF0x5V+/bPs0IMtVhO3VTDkpI7O861Sch81MW9rRXDdc1 hbymERa35F4Y+cTDUNiSwvZyVTj0ctRMJTKOY/PSTTK1327kwJtmlWZI+sN2sZ1a JcJTKJNqIHVRXDoOtaQ/9MN4pCTQrgyBagkMh6JNsCmBVEKzhrJ7s72JJ2zF9vIQ RpXmzlFilPKAROvyGEUQFvdVUlDaSTgKgXYDCjhHwsO6qJLUkJWHyULsO1TohAt6 bIOHEktPYELVA1xdmeOCTACXiB1vK3WV70R2piHn6gIZFA4rcscjmZi5Ag0EXrNs HgEQAMWYPQ+6GteAZz9txkX+/gDUgA98/zyUwmuoI4X2MfoMAjQzAWwQkgCP0W5J Ydmv3hxyZYCMNiKgHTwI4bVk/6Dix/LX8KEi7Ia6Qg6yGU4qR4Ju9gXd3J0Z60qr t1xVcBmkD0uC75G2snMGSPWwnOTjxMC4Ak4+NERdxhxFj3G6MFONsw63/9R6qNJw LgaTio2T6QTfA4rAvdySzjwv3DLBWeW3n/o1CmIYtRJE6egdDaBmEy/1zyMrcffk WVt8fEGPe+Scsp9yuDT82n2X/mqwK4O5pzAZfAK8EHxg5PCSnkHwB5aia5p06Joa VrvRTH9aCvnkORpB8ZwnbQlKH7YrMU8edRZjXlx8hYv4bYMIvN7lWLlrdUpKmX24 53WwXX3dfyD0UNKCxAqV/WNBwIQsE6jVrFvnvtwzpedn5rG+u+QrraErF8g0TUT3 A9jhcJeE0R+Bvkyeb0k0p/DumEQSD9CT0/hearRIq06ReepC2AP4feWx4MZdx/k2 x5Fzom+pHScVCYHcWeUHzIxqxiHRyr+W10tnzheMhPbNx5Bz+docRETnMqjUY/3y QBV2/d1SFQbO3W4I8vigUVzy1dyKqzUhWfyeaIfn8SSBJSt21zZr8yqhJ4YE794F e8mZi6kVN2UqAkDh7NlaLPLD/DuX5BXhFRGM5f2wkR2ZQuJ1ABEBAAGJBGwEGAEK ACAWIQSaNIfXzievPZiwKPEeJecVkN1CDQUCXrNsHgIbAgJACRAeJecVkN1CDcF0 IAQZAQoAHRYhBHHhNwoFIDNLVASK2vXIv9tgb4RXBQJes2weAAoJEPXIv9tgb4RX DKUP/0QvuI7N/cJ9sNgX3bna214Rv8en4mpX+XN+zRHGrFbC/zobbIM6FApkaFOO hjpZ4T+vAJ6iGUt1AOwXYLJdjD1W3ibaaDqS7SnZRpj/NhabgOxcyTTO7FzDhQCq FeS0Mpz0+pT2AU90dWDppQ2bYmOxbGUjHnpMfzKi3WocR1mQj1oMZFR3ByQUwQBX gr3LlffLCxczuvPQgNMMQfBqpQq7qO82TWgeDT3KbHPpftJAHb571sprXgdREVvP pLcklFgkzYLUzUV6yyNDv9bSmWerp3hJX1Si/mV4kCINqf2IcKUxyXvEqoNd0RWb vYD4ZxH6Acmd21tSZcDz9ndS0E7ki8PaNUdBCd29OS5lcC/CNt9L6ZrIZaorUxUM Mm9YVXAxLArT4L8CBorzG1AAZrwxMjhRjYBtYM/7jZfPiqLtDs7Hg4UbZdLXla3K Saq+cIMSx1SNJ+WW9hnyc37PIlyGXAU6X2U7l71P/cETHn6ui+Z29watVv4obTv+ z1OX7pIoYUynPANCc/bT+4MxSR5O/0Bp7SJ+V33Ah7Fi2cqaz7N4nXCUokM2ANQA SK3nmk5ISmxTBD57HPVWvwxV6lLLq2+vPclXT6hLVIk/DkuOJIz6UR1y7juew3Un h4aXftJqhacGxbZJF10Pn5JCBHEZH6CJTnKJjRSNTHp4UVI4XxoP/Ay6XgszWbF0 To2SC4xjHtSbEIvXhP9+n2af/q9M67gD8EOjCaYnTcJ+OsGOdH84SpLd0Wik/LEj awbbaktwQmtll241p7xmG/HrMfLPR5Sj5D/ycydegpq0wEUw7hpGUmAHl3nYSm06 TVJCJkvTZM7Q0a90Xvv2hNPvwU3H3Tg3w2EqbEoYsAA2hveRIXUMhQ/aVT/RdoLr bh/uPifR9yQwcYxEWsP12g9dMfSHo8WE+yiKpg8QrGO8nv7wV2fXiKJjHO1rXsrO GCI3tL8Q5RLhMZMEhCSZfR80RgAXO+stwduAhfGNqPf06EkLpPRJF0bjzNigSG2h qoFHB35Ls0tN25C5sEyndZCaXxQxakloKYJgT13GbtTVUownZcxABNJmVNeZg6cl tu+Tz01i8Ga6C3hOt61Jdkdcw7xtC/YgnZLrXGSWIyMJWV06X3IDGlxuT+mER7H0 qt3Onl0RH9y3tFhiRtSgBeEaKhEddXtadKTAv7fc0fpGFCtqqE0iE0h3VP5rvx6v NstGLApJAPOmXoPM2rxPCWZzDzCbtHQhT7Pv0rkSnXpGVEhZZhjD3SRVZOEn690j 5MD8I5ChC+/j1AjWa26ulQ5cXR00n7NajE7OLDkg6diU22z1pIL9+8e2FRLuJla1 SbNMxVDIeXM2cGkOBLZbCZiWAuwCnT0K =/nce -----END PGP PUBLIC KEY BLOCK-----
Submit Vulnerability Report
Safe harbour
When conducting vulnerability research that is:
- In scope as stipulated in the above; and
- Subject to a report with the required information being submitted to us in a timely manner,
We will consider this research conducted to be:
- Authorized in view of any applicable anti-hacking and cybersecurity laws and regulations, and we will not initiate or support legal action against you for accidental, good faith violations of this program;
- Authorized in view of relevant anti-circumvention and copyright laws, and we will not bring a claim against you for circumvention of access control technological protection measures; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If legal action is initiated by a third party against you and you have complied with this program, we will take steps to make it known that your actions were conducted in compliance with this program.
If, at any time, you have concerns or are uncertain whether your security research is consistent with this program, please email your query to csirt@apnic.net before going any further.
Thank you
As a not-for-profit, it is difficult for us to pay out financial bounties, but we really appreciate your help in safeguarding our systems. If we confirm your finding as a new vulnerability, we can recognize your contribution in the section below. Please let us know if you’d like to be publicly thanked.
APNIC would like to thank the following security researchers for making a responsible disclosure to us.
- Kelvin Wanja (Thee Eclipse)
- memmas
- Tansel Çetin
- Ali Al-Akbar (ExeC_IQ)
- Swajyadip Tembhurne
- Ahmed Sameer
- Harshal Bafna (harrybafna89)
- Vinoth Murugesan
- Prince William
- Guga_Saas
- buraaqsec
- Ghulam Yaseen
- Fredrik John Sanger (@kokurate)
- Suvam Adhikari
- Aman Singh
- Ahmed Abdalkhaliq Abdulla
- Abison Binoy
- Abir Khan Hridoy
- Vivek Muthuswamy
- Abhijeet Sarkar
- Tomer Meir
- Badreddine Belkadi
- Usama Zahoor
- memmas
- Raja Uzair Abdullah
- Zahi Ohana
- Anupam Singh
- Vascuta Denis
- Tan See Jou
- Saeed Hashem
- Miguel Santareno
- sryakarad
- Ananda Dhakal
- Yacin-Djo
- Shaunak Khosla
- Amethama Luturmas
- Bikram Sharma
- Gaurang Maheta
- Busra Turak Gokalp
- Ahmed Basiony
- Mohamed Ali Abidi
- Takshal Patel (tojojo)
- Deepanshu Devaliya
- Aryan W13D0M
- Tsung-Yi Yu (SteveYi)
- Deepak Kumar
- Mümin Köykıran
- Tan See Jou
- Mohamed Abdelkader
- Khadir Osama Khadir (@ii42)
- Çağrı Eser
- Eslam Kamal ( Strik3r )
- Hemant (cyber__hawk)
- Heli9
- Rafshanzani Suhada (0xshdax)
- Amgad Esam (mega7)
- Mahmoud Elgendy (mr_baka)
- Sujan Thapa Magar (Eminence Ways)
- Zhu Jiahao
- Samprit Das
- Harinder Singh(S1N6H)
- Mayur Parmar (th3cyb3rc0p)
- Prince Prafull
- Lokesh Bhade
- Faizan Ahmad Wani
- Parshwa Bhavsar
- Rahul Parmar
- Numan Rajkotiya
- Syed Soel Hossain
- Samasree Das
- N Krishna Chaitanya
- Rafi Ahmed (Leonidas)
- Jefferson Gonzales (Gonz)
- Renganathan
- Shubham Pandey
- Dharam Shah
- Shay Ben Tikva
- Ankur Acharjee
- Mark Salazar (Pusakal)
- Rajib Bar
- Shubham Mandloi
- Kinshuk Kumar
- Amandeep Pawar
- Jebarson Immanuel
- Gaurang Maheta
- Joross Esguerra
- Abilash.V.L
- Cory Exelby
- Tuhin Bose
- FPT Software CyberSecurity Assurance Service
- Mohammed Magdy
- Denny Abraham Sinaga
- NVADR – RedHunt Labs
- Sakshi Patil
- Niraj Mahajan
- Pritam Mukherjee
- Ashish Halle
- Dhrupad Joshi
- Rachit Verma
- Amit Kumar
- Chirag Ketan Prajapati
- Akshay Parse
- Ahmed Salah Abdalhfaz
- Prathamesh Surekha Prakash Pawar
- Sakshi Patil
- Vivek Panday
- Gourab Sadhukhan
- Shubham Panchal
- Nam Ha Bach
- Dhiraj Ramteke
- Avula Tharun
- Jake Flint
- Paska Parahita
- Muhammad Rafi Albaihaqi
- Souvik Mondal