Responsible Disclosure

We work with security researchers to keep up with state-of-the-art web security. If you've discovered a security vulnerability that might impact our products, please let us know. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.

Reporting Security Issues

Send urgent or sensitive reports directly to security@dnsimple.com, and use our public key to encrypt your message. We aim to respond within 3 business days, though we often respond faster. Please provide us with a secure way to respond.

If you haven't heard from us in 3 business days, please follow up via email.

For requests that aren't urgent or sensitive, you can submit a support request.

Testing Environment

If you're interested in conducting security research against our systems, please use our sandbox environment rather than our production systems. The sandbox runs the same web application as production but does not contain production data. For information about activating your account on the sandbox, please see our developer documentation.

Disclosure Process

Here's what happens when you submit a report:

1. Acknowledgment: We acknowledge your report and provide a way for you to track your issue.
2. Investigation: We investigate the issue to determine its impact. We work with you to ensure we fully understand the issue, but we don't disclose issues until our investigation is complete.
3. Resolution: Once the issue is resolved, we inform the submitter. At our discretion, we may publish an update on our blog, support site, social media, or other channels.
4. Coordination: We use a variety of technologies at DNSimple. Security issues may affect multiple systems or third-party dependencies. We appreciate your patience while we coordinate with other affected parties. You'll always have a DNSimple contact for your issue.

Scope

The following are in scope for our responsible disclosure program:

• The DNSimple web application (dnsimple.com)
• The DNSimple API (api.dnsimple.com)
• The DNSimple sandbox environment (sandbox.dnsimple.com)

For more information about our security practices, please see our Security page.

Hall of Fame

The following members of the security community have responsibly contributed to the identification and closure of security issues at DNSimple. We thank them for helping keep our platform and customers safe:

• Clifford Trigo (@MrTrizaeron)
• Jayson Zabate (@asdJsonYou)
• Osanda Malith Jayathissa (@OsandaMalith)
• S.Venkatesh (@PranavVenkatS)
• Kesav Viswanath Nimmagadda
• Rakesh Singh & Sandeep Sodhi (@zerodayguys)
• Abdullah Hussam Gazi (@Abdulahhusam)
• Muhammad Talha Khan
• Simone Memoli (@Simon90_Italy)
• Kamil Sevi (@kamilsevi)
• Ch. Muhammad Osama
• Abdul Haq Khokhar (@Abdulhaqkhokhar)
• Kalpesh Makwana (@makwanakalpesh2)
• Thirukkumaran.K
• Mohamed Abdelbaset Elnoby
• Abdul Rehman (@Abdul_R3hman)
• Ahmed Jerbi (Web Plus)
• Indrajith.AN
• Sumit Sahoo
• Vineet Kumar
• Md. Nur A Alam Dipu (@Dipu1A)
• Anil dj (adeathunt)
• M Shahzaib
• Ramdani