Responsible Disclosure

PagerDuty takes security vulnerabilities and concerns seriously. We encourage our users and members of the security community to privately and responsibly report possible vulnerabilities and incidents to us so that we can address these issues quickly. If you have a security concern or wish to report a vulnerability in our product, please email us at security@pagerduty.com. We’ll keep all information confidential and work with you to make sure we understand the issue and address it as quickly as possible. We request that you do not disclose any information publicly until we have been able to understand the impact and mitigate the risk.

All issues reported to the PagerDuty Security Team will be investigated promptly.

• We’ll acknowledge your report as soon as we can.
• We’ll investigate the issue fully. (We may elect not to disclose any information publicly until the issue is fully understood to mitigate any risk.)
• Once the issue is resolved, we’ll alert any affected customers.

If possible, please send the following information:

• Exact reproduction steps, in text format. We will not accept POCs in any video format.
• URL and parameters demonstrating the vulnerability.
• Any relevant details of your system’s configuration, such as any browser or user-agent information.
• Your IP address and PagerDuty account, to coordinate with our logs.
• Please do not send any executable attachments.
• If the information is sensitive, please encrypt your email with our PGP key.

What is not a valid issue:

• If your POC depends on executing a man-in-the-middle (MITM) attack, your report will not be accepted, as this is out of scope for PagerDuty.
• Best practices. We don’t accept submissions that are simply configuration/policy suggestions. This includes things such as hardfail SPF records, DMARC, and others.
• User/account enumeration.
• Login/Logout CSRF.
• Email spoofing.
• Clickjacking and similar techniques.
• Cookies without “Secure Flag”, our site is all HTTPS with strict-transport-security.

(Note this is not an exhaustive list, just the most common. Just because something doesn’t appear on this list, it does not automatically make it a valid bounty awarded submission.)

We ask that you use common sense when seeking out security bugs. Do not attempt to compromise other users or accounts on PagerDuty or attempt to impact the stability of our infrastructure (Denial of Service attacks, etc). Vulnerabilities should be disclosed to us privately, and we should be given reasonable time to respond.

Running security scanning tools tends to create more noise than useful information. While we appreciate research and disclosure, we kindly ask that you do not use scanners to find vulnerabilities.

Thanks for Working With Us

We respect the talented people that locate security issues and appreciate all efforts to disclose responsibly.