Responsible Disclosure

PagerDuty takes security vulnerabilities and concerns seriously. We encourage our users and members of the security community to privately and responsibly report possible vulnerabilities and incidents to us so that we can address these issues quickly.

If you have a security concern or wish to report a vulnerability in our product, please email us at security@pagerduty.com (use our PGP key to encrypt the email if the information is sensitive). We’ll keep all information confidential and work with you to make sure we understand the issue and address it as quickly as possible. We request that you do not disclose any information publicly until we have been able to understand the impact and mitigate the risk.

All issues reported to the PagerDuty Security Team will be investigated promptly.

• We’ll acknowledge your report as soon as we can.
• We’ll investigate the issue fully. (We may elect not to disclose any information publicly until the issue is fully understood to mitigate any risk.)
• Once the issue is resolved, we’ll alert any affected customers.

If possible, please send the following information:

• Exact reproduction steps, in text format. We will not accept POCs in any video format.
• URL and parameters demonstrating the vulnerability.
• Any relevant details of your system’s configuration, such as any browser or user-agent information.
• Your IP address and PagerDuty account, to coordinate with our logs.
• Please do not send any executable attachments.
• If the information is sensitive, please encrypt your email with our PGP key.

What is not a valid issue:

• If your POC depends on executing a man-in-the-middle (MITM) attack, your report will not be accepted, as this is out of scope for PagerDuty.
• Best practices. We don’t accept submissions that are simply configuration/policy suggestions. This includes things such as hardfail SPF records, DMARC, and others.
• User/account enumeration.
• Login/Logout CSRF.
• Email spoofing.
• Clickjacking and similar techniques.
• Cookies without “Secure Flag”, our site is all HTTPS with strict-transport-security.

(Note this is not an exhaustive list, just the most common. Just because something doesn’t appear on this list, it does not automatically make it a valid bounty awarded submission.)

We ask that you use common sense when seeking out security bugs. Do not attempt to compromise other users or accounts on PagerDuty or attempt to impact the stability of our infrastructure (Denial of Service attacks, etc). Vulnerabilities should be disclosed to us privately, and we should be given reasonable time to respond.

Running security scanning tools tends to create more noise than useful information. While we appreciate research and disclosure, we kindly ask that you do not use scanners to find vulnerabilities.

Thanks for Working With Us

We respect the talented people that locate security issues and appreciate all efforts to disclose responsibly.

 

PagerDuty Security Team PGP Key

If you wish to communicate privately with us about your concern, you can use the following PGP key to encrypt your message to us and verify any signed messages you receive from us. This key is also uploaded to a variety of common key servers.

Key ID: E6E3F1BE
Fingerprint: EF49 9DFB 8457 B662 0919  D702 B05A 3200 E6E3 F1BE
User ID: PagerDuty Security  <security@pagerduty.com>
Key: 4096-bit, RSA


-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFK43kkBEACrYnSnA/IFpo7tdNTip9tkmVNsREZHXNU50F95vLvpwoYpXfXluIruokRk
5XnO6CBCCpIuA0MHuWGAdC1glAduJnQzWTHNHXDR6GJJuXNWpQWJW7H4kkQKlux+pEDAD5IP
L77tWCLgwQNTUUoXCPIpi1EL7Irhhyf5bTs2qMK4clUdyKX1lcA961KyY3ffap1+tq+tEU8z
R/RykxYfkIWkUTuO42wk+odYL7XHFx98iOhnRL8QBTGqMQkkjWcO/RPwthsKkVKGctrdorNj
dxDTofHREm85NiQKqwc0PdfrvDNDZCJlzsJ1b2/fliUSAWkezAQ1f67huUjBUoQc4L6xzYdj
yey0I6+aVze6e7zAP7uPLbVl3nL7T+ehijm49AZufN/gUql/1HmB5sAUvYN9QV1WgCX4Ehbq
/+KYwsUk9xsZ2YDWl3f3vnNMdU6wn0ljCntpTvnr3MC3S+KCm17yR+9HgUeimvWepK8r2B/9
kw68JYrs/oUdx5+Eyw9I4wGVTIMxW2PfsSZx5Zgc9pyGazLRFvwGX1PJMdy+7gmAbHBJj4af
6PonWXwtQeZBwco5H9D5f4t5g5zUVq3Uh1ciz9hpUmWsT7sB2H0YyNfr2mQFu4TkQ6nV+tSi
ZGF/cqDAEpNrqrk6C9jx9+HunZBaaffE8QQx5YOdQHPSXP3O6QARAQABtCtQYWdlckR1dHkg
U2VjdXJpdHkgPHNlY3VyaXR5QHBhZ2VyZHV0eS5jb20+iQI3BBMBAgAhAhsDAh4BAheABQJS
uN51BQsJCAcDBRUKCQgLBRYCAwEAAAoJELBaMgDm4/G+IbUP/3bdleGOg2TG4GkotpSo5v0r
QAb9gQQTpJztY22SmdHrRD6qbKSvL9d94/wCgZsa4Sngh2O3x9TANw5+ljd3pZsjSnk5u3xN
GwOKyxXo99ABhmUVt3fkKt+u+o7XY22ZGm/C55MOOBS8wTPh+20VV+FclqpNRbNJiTJMN/wi
TIVIW2ZL4+gbQrwvqVmotxKFRB1GYl8D6+1dXEoi4UtGgjwmMNemSvXXrqD9GA8nqEvDPluu
1sJIBeAyzT2sFuQ+XM5DErelLVTqvgWC5KUEzHm4WN9rvrtiVhKGnDMmYE5aYBJjeSauY1mc
gBAvcVh3qIrRHHtVr/zK7ldtmC99lkOJd0PhjApLGklm7WHqWlGjCDV4PxHOyjviVp2sVzTe
xlTFSTQm4XQrwg7OWZFdoJ6HeWmTyOTzTPL4pFo3kX2En8dvAmDLi8zlNc4CvQX8NjtWwnzk
JrHiV/H2I5Xr9G+nxpffmq296lSIoufedsd6yMctzjkJH5bmPe2htpqeaCXO5imstF7JLY3B
fTk0sRxLdNXrZOFRGG3C/DuMggr8cua0jXJeq97avOutcE0IzfPHGxv3Q3MSioVbBt7z51V/
hdrjeEEAg8rk9dz5jk+NLTW8S6g+RhMoq+yfIu1zRX+2qW0iPawQxUXB+SRYWg4YqgLmB/zC
y9s7duMWy0xYiQI4BBMBAgAiBQJSuN5JAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAK
CRCwWjIA5uPxvkZsD/9+CwQkm8t/5Fc6CWpomjBuoQxlxQkCXSw2oQFqKRKhJx3UhNzpuYuS
0ybEk1WyR8AdkrkrUDkuI+flnwlHK2XpLDOrbDtLwU7+yUKF0wD3KKjaeSCuDrqgYMj4jw7c
nJZQRtAdG6Xgedn1Q3pWDy5W4dmzK9U9TIZda1RHXYomnuxlVU1EZp8blViea/TkiO3nQ0+I
RxebljKUcpypXBRHsz7e7+Zek2VggKSwYweWzYZykWUu0d7YiETSsSVRERh+l4Gbc41SlSV2
hB7g/K2gIjTPP5cU93uLtSsevkuDLgWBnqrdjlY52YwsphPK/CWDisxJdwfq7YV7537L2/Wr
fIS4zPjvDvNeVxcpuFriTee8GU/k5UqxscLZ2jGwVzVA3dhfsNVe/zUsgIpgfTEJLl9dhQyW
tsElD8kJU2ElYfv3QxQFlcn3OB5fuFkwD9isI8DvdvyrdMuSKEbN7Kpq0AL7BRf66X1q107m
peG7WYqy2405WV/0KEXYZmCsju10M6vv5na18LlSfkl/LdVudpcglKIAp/FgUndeboyTJD7A
j+pF80J/uwtsAEPe3Q+ykjlxGWFXfyEsUuF14f/I/gPkwz3S9JWRmJvdf7rglh886WtOAx9V
tm2DhFj2UgXJWkU1wB4aiQUGsNUr4PERoDC4q7SHaczPyTJ5y7LggLkCDQRSuN5JARAA7HcQ
gHq68rEZRFS1UC9WjcDuAqXFdPoqw+xCJjH7mlBw8/+qmFiGsqYsYme9NKiYlMgehIXBNoRh
LF2U37ouVZlq/oxiC2mJMULzf3zgrfhKJtqGhvdZOtyc6weDAsfGDAi4nrHSjWGcsnhUzg83
kFa7LUbahEINtV7C0hKjAHceGrVvcN2YRFWE3MOSn0W1rAnTRoIhoFiIlf89Cmr8MISAmG0v
1OKTF5FwARhvML4M0UfkIdTXxXwqrWZFYeafylur507X2qwBecC29ZMghVIqC/xB9IN6fZfc
NLXH+huT+avVPUoMLhHEFaY8cxyxlTlfx8hXKk9tsxw+Pa7ChsC5NK9/dvEqEhROfjRKANH+
vdhIPFWNVQLUTXhIsZBehS2WAZvPK30GpaAb3sE6vRX7aIMoSb6FSghklSUM2/NUpbuH9daH
w/H8vXHYhXG02vGubAaZNSCDTWXl4TMVQQQSfJ2M1S/f+rDveHc8DGkv+CGwRIIFdv7RSfkR
yQnIfHsOZGye8G0aPRZVKykt8r/zsVpZW4fwVxYwIDyWuShT7mxRZeIOTYPOe9G1X3R5BO1z
+9R1DoQ0nPrizasjzy8hXzW5B59Hzny7ZTL4afelP+MekuvoN02TgmBc2zOrsZVaZMw3DIuo
axU5HGc/rKM8SmmUc33M3dreass7TGUAEQEAAYkCHwQYAQIACQUCUrjeSQIbDAAKCRCwWjIA
5uPxvlJbD/9HHChdsqwri85xnQr1cRaFqv4fg1JrRhNYgYa0THlLT5tp+h5lhoJmfBWqfDnz
JlaHWJPA45V7ZM+1paFux78vL9cgR96jUHregEaNNLjcQcTqvig+SOt34zw7fIGtOSfqqzNh
9KfDKOS7ZLF2/2shfi7ece6uSv5vilNRPG+0ZHxcqfzgrurgP+ddGjlaUtZyhluXO2Xh5pq1
SoDKUh26ue/9kKUdhx1R/lToPlbmP2jCz8OzHmb+Nof522HnYIWMXRYD9UI4jz+c7BbrnK2q
nukp5ByilH6Jt8fxpKwYqKCjzbvW1dLMnl6ar7hVyAvvo37KE2A13ibvGj4L1MZAmPJQbNB/
51eEbj7aTBb+OZyOyrIfEffJSMcKrGZx3Mta3cCx1A8hRDVRGrinZ5XYRW2XiXvpMqnwlUCP
BGOSzcq95q1Rp8OYZNYVxmPPyQZC1DKopBx2rsAvPPsj+WyJ3LKm93mO5wE2yH/DFk9ZTaRQ
7S+5lSbL3SOgW2XUlTURqEvMJW5WRat0n6oZ7aUewL39TyKFNLRxZLeelndLUkqB0/vRRT8p
I3zz9MxnHNxyST6FO+z6VUin5eV92n6J0MDua2PzrOLkjU47Q7FBcWKtggedzv2I64Dq/8wh
t2zdJ1ewgqO4NNW4yOq6hGVgfUGeX89VamBwApgOkNHCLLkCDQRSuN6NARAAuh/Ovw2Jbg4a
tBFRih2k2VoX7odQkms6rgULzqykVHcOQLeldepbxf2KQXCDljLeOrZrST474BmWaNw8l/H1
dqirs9SbaseieX2X/BPMLGAOI6/33YB/xve9WqXHs6L//1W7JKoLj72rphpVnG/RYxQgwXnn
sVQHGHe8oG7j5oNHEHLUeaCeYLTzIMJB9n0eTFNQz9vYyzu1KFvGg0nSmI/EWmCrGofxdDce
MP1GS7eEGr9EbNjGC8rHIoKOHu7gQdJwJhJyYlPOOx65ARW15kRpVEen2dxc8aUDruJOteA5
E7IWKeczzETZRx/EbYlAEQ9hC2Zbc78ek6tXKnbuvhOSf+XKaKJddmTuprOpHm8IZTdBqFMV
BB4cFBVSGfIi0kR8HiixpH2V9Pudo3g+IMDPQOqDFhg5/OtsVk0ekSSrKxYFbeRiRsLGWqAV
RsmpacyamS5DGXtRgkAUJh5PTjsybxj6oL85F9Geg7Q/1cY0tT9XB9s6wuZcp3ywKmdwBzdL
xA+ymrK9rBO/IIjMX1iVOWv4phfc3pyknMgBPnnQiyGw6QYPkOG0zRXkNfVzUjKYUYKa+o5R
cFXFj071VLnITT2NgryAGvJPL4y1uZzmjTWz8DHAavggpfIJgbuea2MhydqGmelIklUZXnC8
NyPT5iGkCG6n3XscjxSXavkAEQEAAYkEPgQYAQIACQUCUrjejQIbAgIpCRCwWjIA5uPxvsFd
IAQZAQIABgUCUrjejQAKCRD0Mb/79hWmnlTbD/0TsuIvsLMR8x8gA7Ern6hSKhvOcO014pB6
U5STjHf1mOadV1SuqQYpwjO4lPkgHKsD6clISDzq0Vk1bUdXdfFv2B76W2iGIBCW2IMCaFjX
HJZ/mCNZGo7B+hUJCK+RKzKeXRXGKiICqaXyLNa3S8B5ykFWSOD8/GcEWAs2MPd89fqGyYyX
2vPH0wS4ouo9CVQ0IprKoqpIMSDQvH/cnU8BoqKT90W5Z5VDzRwJCUnWMSxa28CcYS7uYG6K
zejfRHnRqGmenPT+ZsaiKC752YDVBXrKV8AFw4YZfQCmLJtbexDgmMN8TUcNAxyRVn0mOkEc
Jlx2MDSRjXeRrz/ndUm5ujpMEw2U1VzJWspkDVnhWFVpac3EA83N0FKMeLgHVCCARjhjddas
fdXu/0xibgOFqRTbdF28GroVzXxCHGAkcsXrWRE9RLx4fP19+JRAIRs0V50APGZVNVKFMtNO
nKCksysLSs8GUZeBXKj4T85a1JQQpHakzB3Guo5RihYnZqXcMjdivO4to+iwhNdWwJOZ09Bl
5U44BVvzAGjW2POcNwZUenxEOTHIB4jKKNuZ5hadv4gvMyfxhZ0i87iPaiFqlaOkF2K84qOW
Yq4uo0NmaT5gd/7c+MNHHxFeoaeYm8d7zRkN9JWSa1ofoX3uITbyD+fewIyEI5eEmKzbgAtq
8rHID/41XROq9NryMCtoIdVPVHbpAeRj/qiesfLtPYtIjVdCHipf85ljHl2gJYYNr79wx5UH
S+O1V/WVnMMKYhLHVabG8EPpVjwHS4IMiNxAA9eeiiUnQpCIfKbhqQZ17GxesZaligvLowf7
IdnlnOEhz0PALl97wDAROFmxK0JoBkzf8Uf4REbL02CNfF3GqsAkxAqbulnBByLkUhXcK0SN
H7phd0T2DxI3OKuQ4+HcnBYtYvnlX35MM1euzcut9GP39EWz/j+4YHIZaX6UKdqTZQ5xWDvF
ygE8KCb4/w0kMxJ8VhCgabxGeGVyqHAbp4pGLZwF7fzS6r8SApfwuKOAgxNbWIvLrqGTiT98
clg/bweIvkF1P0HS14aCJqtppiLGiebSI+xOe6XAiEl7VpdefM7hNTnzsB2G+m2e0wzUuvt4
3VF1e5TBMNPQ1Y3IsrkLim3JQUNk68MnqSnp1XmRU4+SaI3bDJpWtGbK7gU05P6Dc4b6C/IZ
E0YB3tvtdLRDs0UCeXGVbtb49fGta57WqvVtJHEX3af2GpvBBbjeR8vyXH4jO4EChSiNhIfj
/YEiBtYBwwDmGjk76aTwTTk4Ky6VZzLN7qDJ96YhEwtzV80BvszcQHZD9ksxpc328PkSgfaR
2XaSEu8Gu53jiXCIKBbeKAQRwbOHwhG23TY4DfK2wQ==
=iM3E
-----END PGP PUBLIC KEY BLOCK-----