All issues reported to the PagerDuty Security Team will be investigated promptly.
- We’ll acknowledge your report as soon as we can.
- We’ll investigate the issue fully. (We may elect not to disclose any information publicly until the issue is fully understood to mitigate any risk.)
- Once the issue is resolved, we’ll alert any affected customers.
If possible, please send the following information:
- Exact reproduction steps, in text format. We will not accept POCs in any video format.
- URL and parameters demonstrating the vulnerability.
- Any relevant details of your system’s configuration, such as any browser or user-agent information.
- Your IP address and PagerDuty account, to coordinate with our logs.
- Please do not send any executable attachments.
- If the information is sensitive, please encrypt your email with our PGP key.
What is not a valid issue:
- If your POC depends on executing a man-in-the-middle (MITM) attack, your report will not be accepted, as this is out of scope for PagerDuty.
- Best practices. We don’t accept submissions that are simply configuration/policy suggestions. This includes things such as hardfail SPF records, DMARC, and others.
- User/account enumeration.
- Login/Logout CSRF.
- Email spoofing.
- Clickjacking and similar techniques.
- Cookies without “Secure Flag”, our site is all HTTPS with strict-transport-security.
(Note this is not an exhaustive list, just the most common. Just because something doesn’t appear on this list, it does not automatically make it a valid bounty awarded submission.)
We ask that you use common sense when seeking out security bugs. Do not attempt to compromise other users or accounts on PagerDuty or attempt to impact the stability of our infrastructure (Denial of Service attacks, etc). Vulnerabilities should be disclosed to us privately, and we should be given reasonable time to respond.
Running security scanning tools tends to create more noise than useful information. While we appreciate research and disclosure, we kindly ask that you do not use scanners to find vulnerabilities.
Thanks for Working With Us
We respect the talented people that locate security issues and appreciate all efforts to disclose responsibly.