Last Modified: June 17, 2026
Responsible Disclosure
We work with security researchers to keep up with state-of-the-art web security. If you've discovered a vulnerability that has a real, demonstrable impact on our products or our customers, we want to hear about it, and we'll make every effort to acknowledge your contribution.
To keep our review focused on issues that genuinely put customers at risk, please read what qualifies below before you submit. Reports that don't describe a reproducible security vulnerability with demonstrated impact will be closed without a Hall of Fame mention.
What qualifies as a security vulnerability
We consider an issue a security vulnerability when it is a weakness that can be exploited to:
- Expose customer or system private information, such as credentials or other data you should not have access to.
- Escalate privileges, or reach accounts, records, or administrative controls you should not have access to.
- Threaten the stability of our services, for example by allowing a remote attacker to take a service offline.
Examples of issues we want to hear about include:
- Remote code execution or command injection.
- Authentication or authorization bypass, account takeover, or insecure direct object references (IDOR) that expose another customer's data.
- SQL injection, server-side request forgery (SSRF), or stored cross-site scripting (XSS) that affects other users.
- Any flaw that lets a remote attacker modify accounts, DNS records, or administrative controls without authorization.
A valid report demonstrates the issue with clear reproduction steps and a working proof of concept. An issue that is only theoretical, and cannot be demonstrated in practice, has no impact and will not be treated as a vulnerability.
What we don't consider a vulnerability
We receive many reports that, while sometimes well-intentioned, do not describe an exploitable security vulnerability. To keep our response time fast for genuine issues, the following are out of scope and will be closed without a Hall of Fame mention.
Best-practice and hardening suggestions with no demonstrated exploit, including:
- Missing or misconfigured security headers (for example CSP, HSTS, or X-Frame-Options).
- TLS/SSL configuration or cipher-suite preferences.
- Cookie flags (for example Secure, HttpOnly, or SameSite).
- Software, framework, or version and banner disclosure without a known, exploitable vulnerability.
- SPF, DKIM, or DMARC configuration suggestions.
- Absence of rate limiting or brute-force protection without a demonstrated impact.
Low-impact or theoretical findings that cannot be exploited in practice, including:
- Raw output from automated scanners without a validated, working proof of concept.
- Self-XSS that requires a victim to paste content into their own browser.
- Clickjacking on pages with no sensitive or state-changing actions.
- Username, account, or email enumeration.
- Verbose error messages that do not leak sensitive data.
- Open redirects on non-sensitive endpoints.
- Issues that require physical access to a device, or an already-compromised account or device.
Usability and product feedback, including user-experience improvements, functional bugs with no security impact, and feature requests. These are valuable, but they are not security vulnerabilities. Please send them to support@dnsimple.com so they reach the right team.
Reporting Security Issues
Send urgent or sensitive reports directly to security@dnsimple.com, and use our public key to encrypt your message. We aim to respond within 3 business days, though we often respond faster. Please provide us with a secure way to respond.
To help us investigate quickly, every report must include:
- A clear description of the vulnerability and the affected system or URL.
- Step-by-step instructions to reproduce the issue.
- A working proof of concept.
- An explanation of the real-world impact, describing what an attacker can actually do.
Reports that don't include enough information to reproduce the issue and confirm a real security impact will be closed without further investigation.
We recognize the first person to responsibly report a valid vulnerability in our Hall of Fame below. We do not operate a paid bug bounty program.
If you haven't heard from us in 3 business days, please follow up via email.
For requests that aren't urgent or sensitive, you can submit a support request.
Systems in Scope
The following are in scope for our responsible disclosure program:
- The DNSimple web application (dnsimple.com)
- The DNSimple API (api.dnsimple.com)
- The DNSimple sandbox environment (sandbox.dnsimple.com)
For more information about our security practices, please see our Security page.
Testing Environment
If you're interested in conducting security research against our systems, please use our sandbox environment rather than our production systems. The sandbox runs the same web application as production but does not contain production data. For information about activating your account on the sandbox, please see our developer documentation.
Disclosure Process
Here's what happens when you submit a report:
- Acknowledgment: We acknowledge your report and provide a way for you to track your issue.
- Investigation: We investigate the issue to determine its impact. We work with you to ensure we fully understand the issue, but we don't disclose issues until our investigation is complete.
- Resolution: Once the issue is resolved, we inform the submitter. At our discretion, we may publish an update on our blog, support site, social media, or other channels.
- Coordination: We use a variety of technologies at DNSimple. Security issues may affect multiple systems or third-party dependencies. We appreciate your patience while we coordinate with other affected parties. You'll always have a DNSimple contact for your issue.
Hall of Fame
The following members of the security community have responsibly contributed to the identification and closure of security issues at DNSimple. We thank them for helping keep our platform and customers safe:
- Clifford Trigo (@MrTrizaeron)
- Jayson Zabate (@asdJsonYou)
- Osanda Malith Jayathissa (@OsandaMalith)
- S.Venkatesh (@PranavVenkatS)
- Kesav Viswanath Nimmagadda
- Rakesh Singh & Sandeep Sodhi (@zerodayguys)
- Abdullah Hussam Gazi (@Abdulahhusam)
- Muhammad Talha Khan
- Simone Memoli (@Simon90_Italy)
- Kamil Sevi (@kamilsevi)
- Ch. Muhammad Osama
- Abdul Haq Khokhar (@Abdulhaqkhokhar)
- Kalpesh Makwana (@makwanakalpesh2)
- Thirukkumaran.K
- Mohamed Abdelbaset Elnoby
- Abdul Rehman (@Abdul_R3hman)
- Ahmed Jerbi (Web Plus)
- Indrajith.AN
- Sumit Sahoo
- Vineet Kumar
- Md. Nur A Alam Dipu (@Dipu1A)
- Anil dj (adeathunt)
- M Shahzaib
- Ramdani
- Security Assurance Team @ Storebrand