HOWTO: Report a Security Issue to PeeringDB
PeeringDB works hard to keep its systems and data as secure as possible. If you are a security researcher and have discovered a security vulnerability in one of our services, we appreciate your help in disclosing it to us in a responsible manner.
Our responsible disclosure policy is not an invitation to actively hack and potentially disrupt our system and services. We reserve the right to sue researchers for penetrating or attempting to penetrate our systems.
PeeringDB does not permit the following types of security research
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is prohibited:
- Performing actions that may negatively affect PeeringDB or its users (e.g. any form of Denial of Service attacks)
- Accessing, or attempting to access, data or information that does not belong to you
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
- Conducting any kind of physical or electronic attack on PeeringDB personnel, property or data centers
- Using social engineering to target any PeeringDB team member
- Violating any laws or breaching any agreements to discover vulnerabilities
Scope of the network
The following is in scope:
- The www.peeringdb.com website and any of its sub-domains, services, APIs and infrastructure.
- Any (internet-facing) infrastructure owned and operated by PeeringDB.
The following list of issues have already been reported to our Security team, reviewed, and deemed out of scope for the purposes of this program. Please do not report any of the following classes of issues. Unless there are exceptional circumstances or novel attacks, these issues will be rejected:
- Missing, or not 'properly' configured SPF, DKIM or DMARC records.
- The presence of public services such as robots.txt or FTP.
- The availability of DNS zone transfers.
- Reports of old software versions without a working Proof of Concept of an exploit.
This is not an exclusive list. If you report a vulnerability that has already been reported by someone else, we will let you know. In that case you are not eligible for our Security Hall of Fame or swag.
What we request from you
- Please do not share the issue with others until it has been resolved.
- Please do not publish anything about the resolved issue unless this has been discussed with us.
- Email your findings to firstname.lastname@example.org. You may submit a notification under a pseudonym.
- Please provide enough information for us to reproduce the issue so that we can resolve it as soon as possible.
- Please delete all confidential information obtained through the vulnerability as soon as possible after reporting it. Please do this after consulting us to make sure that we can reproduce the issue.
What we promise
- We will act with urgency and necessary resources to resolve the issue.
- We will strive to respond to your report within three business days with our evaluation of the report and an expected resolution date.
- We will handle your report with strict confidentiality and not pass on your personal details to third parties without your permission.
- After a major security issue has been solved, we will publish a report on our website explaining the vulnerability discovered and how we fixed it.
- If you agree to have your name used in the report, we will credit you. Note that we will only credit the first person that reported a specific vulnerability to us.
- After your vulnerability report is verified, the security team will inform you if you are eligible.
- We will send you a unique token of our gratitude, such as a personalized cup, hat, or hoodie.
- We do not issue monetary rewards for reported vulnerabilities.