As a critical component to DNS, domains, and SSL certificates, we take your security seriously. The following illustrates how we handle security, and provides a way to get in touch with us for security-specific issues. By reporting those issues, you help us continue to be the best DNS hosting option available.
Reporting Security Issues
Send urgent or sensitive reports directly to firstname.lastname@example.org, and use our public key to keep your messages safe. We'll get back to you as soon as possible, usually within 24 hours. Please provide us with a secure way to respond. If you haven't heard from us in 24 hours, follow up or ping us on Twitter. For requests that aren’t urgent or sensitive: submit a support request.
Tracking and Disclosing Security Issues
If you're interested in executing tests against our systems for your security research, please use our sandbox system rather than our production systems. The sandbox system is running the same web application as production but does not involve production data. For information about how to activate your account on the sandbox system please see our developer documentation.
We work with security researchers to keep up with state-of-the-art web security. If you've discovered a web security flaw that might impact our products, please let us know. Here's what happens when you submit a report:
- We acknowledge your report and provide a way for you to track your issue.
- We investigate the issue to determine its impact. We work with you to ensure we fully understand the issue, but we don't disclose issues until our investigation is finished.
- Once the issue is resolved, we post a security update along with thanks and credit to the first researcher who reported the issue.
- We use a variety of technology at DNSimple. Security issues may affect any of the technologies we use. We appreciate your patience while we make sure other companies and their customers are protected. In any event, you'll always have a DNSimple contact for your issue.
The following members of the Internet community have responsibly contributed to the identification and closure of security issues in DNSimple:
- Clifford Trigo (@MrTrizaeron)
- Jayson Zabate (@asdJsonYou)
- Osanda Malith Jayathissa (@OsandaMalith)
- S.Venkatesh (@PranavVenkatS)
- Kesav Viswanath Nimmagadda
- Rakesh Singh & Sandeep Sodhi (@zerodayguys)
- Abdullah Hussam Gazi (@Abdulahhusam)
- Muhammad Talha Khan
- Simone Memoli (@Simon90_Italy)
- Kamil Sevi (@kamilsevi)
- Ch. Muhammad Osama
- Abdul Haq Khokhar (@Abdulhaqkhokhar)
- Kalpesh Makwana (@makwanakalpesh2)
- Mohamed Abdelbaset Elnoby
- Abdul Rehman (@Abdul_R3hman)
- Ahmed Jerbi (Web Plus)
- Sumit Sahoo
- Vineet Kumar
- Md. Nur A Alam Dipu (@Dipu1A)
- Anil dj (adeathunt)
- M Shahzaib
DNSimple Security Overview
All credit card transactions are processed using secure encryption. Card information is transmitted, stored, and processed securely on a PCI-Compliant network. We currently use Stripe for processing all one-time and recurring payments. More information about Stripe's PCI compliance may be found on the Stripe site.
All servers have rigid access control and only provide access to the services that are required on that server. We regularly update our infrastructure to incorporate patches and updates.
All data is backed up on a regular basis to off-site backups.
Account passwords are stored with one-way encryption so even we do not have access to them.
We provide multi-factor authentication for user accounts using a time-based one-time password algorithm, an external hardware security key, or platform authenticator such as Windows Hello, Apple Face ID, Touch ID, and Passkeys. You can enable multi-factor authentication from your user page.