Responsible Disclosure
If you have a security concern or wish to report a vulnerability in our product, please email us at security@pagerduty.com (use our PGP key to encrypt the email if the information is sensitive). We’ll keep all information confidential and work with you to make sure we understand the issue and address it as quickly as possible. We request that you do not disclose any information publicly until we have been able to understand the impact and mitigate the risk.
All issues reported to the PagerDuty Security Team will be investigated promptly.
- We’ll acknowledge your report as soon as we can.
- We’ll investigate the issue fully. (We may elect not to disclose any information publicly until the issue is fully understood to mitigate any risk.)
- Once the issue is resolved, we’ll alert any affected customers.
If possible, please send the following information:
- Exact reproduction steps, in text format. We will not accept POCs in any video format.
- URL and parameters demonstrating the vulnerability.
- Any relevant details of your system’s configuration, such as any browser or user-agent information.
- Your IP address and PagerDuty account, to coordinate with our logs.
- Please do not send any executable attachments.
- If the information is sensitive, please encrypt your email with our PGP key.
What is not a valid issue:
- If your POC depends on executing a man-in-the-middle (MITM) attack, your report will not be accepted, as this is out of scope for PagerDuty.
- Best practices. We don’t accept submissions that are simply configuration/policy suggestions. This includes things such as hardfail SPF records, DMARC, and others.
- User/account enumeration.
- Login/Logout CSRF.
- Email spoofing.
- Clickjacking and similar techniques.
- Cookies without “Secure Flag”, our site is all HTTPS with strict-transport-security.
(Note this is not an exhaustive list, just the most common. Just because something doesn’t appear on this list, it does not automatically make it a valid bounty awarded submission.)
We ask that you use common sense when seeking out security bugs. Do not attempt to compromise other users or accounts on PagerDuty or attempt to impact the stability of our infrastructure (Denial of Service attacks, etc). Vulnerabilities should be disclosed to us privately, and we should be given reasonable time to respond.
Running security scanning tools tends to create more noise than useful information. While we appreciate research and disclosure, we kindly ask that you do not use scanners to find vulnerabilities.
Thanks for Working With Us
We respect the talented people that locate security issues and appreciate all efforts to disclose responsibly.
PagerDuty Security Team PGP Key
If you wish to communicate privately with us about your concern, you can use the following PGP key to encrypt your message to us and verify any signed messages you receive from us. This key is also uploaded to a variety of common key servers.
Key ID: E6E3F1BE Fingerprint: EF49 9DFB 8457 B662 0919 D702 B05A 3200 E6E3 F1BE User ID: PagerDuty Security <security@pagerduty.com> Key: 4096-bit, RSA -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFK43kkBEACrYnSnA/IFpo7tdNTip9tkmVNsREZHXNU50F95vLvpwoYpXfXluIruokRk 5XnO6CBCCpIuA0MHuWGAdC1glAduJnQzWTHNHXDR6GJJuXNWpQWJW7H4kkQKlux+pEDAD5IP L77tWCLgwQNTUUoXCPIpi1EL7Irhhyf5bTs2qMK4clUdyKX1lcA961KyY3ffap1+tq+tEU8z R/RykxYfkIWkUTuO42wk+odYL7XHFx98iOhnRL8QBTGqMQkkjWcO/RPwthsKkVKGctrdorNj dxDTofHREm85NiQKqwc0PdfrvDNDZCJlzsJ1b2/fliUSAWkezAQ1f67huUjBUoQc4L6xzYdj yey0I6+aVze6e7zAP7uPLbVl3nL7T+ehijm49AZufN/gUql/1HmB5sAUvYN9QV1WgCX4Ehbq /+KYwsUk9xsZ2YDWl3f3vnNMdU6wn0ljCntpTvnr3MC3S+KCm17yR+9HgUeimvWepK8r2B/9 kw68JYrs/oUdx5+Eyw9I4wGVTIMxW2PfsSZx5Zgc9pyGazLRFvwGX1PJMdy+7gmAbHBJj4af 6PonWXwtQeZBwco5H9D5f4t5g5zUVq3Uh1ciz9hpUmWsT7sB2H0YyNfr2mQFu4TkQ6nV+tSi ZGF/cqDAEpNrqrk6C9jx9+HunZBaaffE8QQx5YOdQHPSXP3O6QARAQABtCtQYWdlckR1dHkg U2VjdXJpdHkgPHNlY3VyaXR5QHBhZ2VyZHV0eS5jb20+iQI3BBMBAgAhAhsDAh4BAheABQJS uN51BQsJCAcDBRUKCQgLBRYCAwEAAAoJELBaMgDm4/G+IbUP/3bdleGOg2TG4GkotpSo5v0r QAb9gQQTpJztY22SmdHrRD6qbKSvL9d94/wCgZsa4Sngh2O3x9TANw5+ljd3pZsjSnk5u3xN GwOKyxXo99ABhmUVt3fkKt+u+o7XY22ZGm/C55MOOBS8wTPh+20VV+FclqpNRbNJiTJMN/wi TIVIW2ZL4+gbQrwvqVmotxKFRB1GYl8D6+1dXEoi4UtGgjwmMNemSvXXrqD9GA8nqEvDPluu 1sJIBeAyzT2sFuQ+XM5DErelLVTqvgWC5KUEzHm4WN9rvrtiVhKGnDMmYE5aYBJjeSauY1mc gBAvcVh3qIrRHHtVr/zK7ldtmC99lkOJd0PhjApLGklm7WHqWlGjCDV4PxHOyjviVp2sVzTe xlTFSTQm4XQrwg7OWZFdoJ6HeWmTyOTzTPL4pFo3kX2En8dvAmDLi8zlNc4CvQX8NjtWwnzk JrHiV/H2I5Xr9G+nxpffmq296lSIoufedsd6yMctzjkJH5bmPe2htpqeaCXO5imstF7JLY3B fTk0sRxLdNXrZOFRGG3C/DuMggr8cua0jXJeq97avOutcE0IzfPHGxv3Q3MSioVbBt7z51V/ hdrjeEEAg8rk9dz5jk+NLTW8S6g+RhMoq+yfIu1zRX+2qW0iPawQxUXB+SRYWg4YqgLmB/zC y9s7duMWy0xYiQI4BBMBAgAiBQJSuN5JAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAK CRCwWjIA5uPxvkZsD/9+CwQkm8t/5Fc6CWpomjBuoQxlxQkCXSw2oQFqKRKhJx3UhNzpuYuS 0ybEk1WyR8AdkrkrUDkuI+flnwlHK2XpLDOrbDtLwU7+yUKF0wD3KKjaeSCuDrqgYMj4jw7c nJZQRtAdG6Xgedn1Q3pWDy5W4dmzK9U9TIZda1RHXYomnuxlVU1EZp8blViea/TkiO3nQ0+I RxebljKUcpypXBRHsz7e7+Zek2VggKSwYweWzYZykWUu0d7YiETSsSVRERh+l4Gbc41SlSV2 hB7g/K2gIjTPP5cU93uLtSsevkuDLgWBnqrdjlY52YwsphPK/CWDisxJdwfq7YV7537L2/Wr fIS4zPjvDvNeVxcpuFriTee8GU/k5UqxscLZ2jGwVzVA3dhfsNVe/zUsgIpgfTEJLl9dhQyW tsElD8kJU2ElYfv3QxQFlcn3OB5fuFkwD9isI8DvdvyrdMuSKEbN7Kpq0AL7BRf66X1q107m peG7WYqy2405WV/0KEXYZmCsju10M6vv5na18LlSfkl/LdVudpcglKIAp/FgUndeboyTJD7A j+pF80J/uwtsAEPe3Q+ykjlxGWFXfyEsUuF14f/I/gPkwz3S9JWRmJvdf7rglh886WtOAx9V tm2DhFj2UgXJWkU1wB4aiQUGsNUr4PERoDC4q7SHaczPyTJ5y7LggLkCDQRSuN5JARAA7HcQ gHq68rEZRFS1UC9WjcDuAqXFdPoqw+xCJjH7mlBw8/+qmFiGsqYsYme9NKiYlMgehIXBNoRh LF2U37ouVZlq/oxiC2mJMULzf3zgrfhKJtqGhvdZOtyc6weDAsfGDAi4nrHSjWGcsnhUzg83 kFa7LUbahEINtV7C0hKjAHceGrVvcN2YRFWE3MOSn0W1rAnTRoIhoFiIlf89Cmr8MISAmG0v 1OKTF5FwARhvML4M0UfkIdTXxXwqrWZFYeafylur507X2qwBecC29ZMghVIqC/xB9IN6fZfc NLXH+huT+avVPUoMLhHEFaY8cxyxlTlfx8hXKk9tsxw+Pa7ChsC5NK9/dvEqEhROfjRKANH+ vdhIPFWNVQLUTXhIsZBehS2WAZvPK30GpaAb3sE6vRX7aIMoSb6FSghklSUM2/NUpbuH9daH w/H8vXHYhXG02vGubAaZNSCDTWXl4TMVQQQSfJ2M1S/f+rDveHc8DGkv+CGwRIIFdv7RSfkR yQnIfHsOZGye8G0aPRZVKykt8r/zsVpZW4fwVxYwIDyWuShT7mxRZeIOTYPOe9G1X3R5BO1z +9R1DoQ0nPrizasjzy8hXzW5B59Hzny7ZTL4afelP+MekuvoN02TgmBc2zOrsZVaZMw3DIuo axU5HGc/rKM8SmmUc33M3dreass7TGUAEQEAAYkCHwQYAQIACQUCUrjeSQIbDAAKCRCwWjIA 5uPxvlJbD/9HHChdsqwri85xnQr1cRaFqv4fg1JrRhNYgYa0THlLT5tp+h5lhoJmfBWqfDnz JlaHWJPA45V7ZM+1paFux78vL9cgR96jUHregEaNNLjcQcTqvig+SOt34zw7fIGtOSfqqzNh 9KfDKOS7ZLF2/2shfi7ece6uSv5vilNRPG+0ZHxcqfzgrurgP+ddGjlaUtZyhluXO2Xh5pq1 SoDKUh26ue/9kKUdhx1R/lToPlbmP2jCz8OzHmb+Nof522HnYIWMXRYD9UI4jz+c7BbrnK2q nukp5ByilH6Jt8fxpKwYqKCjzbvW1dLMnl6ar7hVyAvvo37KE2A13ibvGj4L1MZAmPJQbNB/ 51eEbj7aTBb+OZyOyrIfEffJSMcKrGZx3Mta3cCx1A8hRDVRGrinZ5XYRW2XiXvpMqnwlUCP BGOSzcq95q1Rp8OYZNYVxmPPyQZC1DKopBx2rsAvPPsj+WyJ3LKm93mO5wE2yH/DFk9ZTaRQ 7S+5lSbL3SOgW2XUlTURqEvMJW5WRat0n6oZ7aUewL39TyKFNLRxZLeelndLUkqB0/vRRT8p I3zz9MxnHNxyST6FO+z6VUin5eV92n6J0MDua2PzrOLkjU47Q7FBcWKtggedzv2I64Dq/8wh t2zdJ1ewgqO4NNW4yOq6hGVgfUGeX89VamBwApgOkNHCLLkCDQRSuN6NARAAuh/Ovw2Jbg4a tBFRih2k2VoX7odQkms6rgULzqykVHcOQLeldepbxf2KQXCDljLeOrZrST474BmWaNw8l/H1 dqirs9SbaseieX2X/BPMLGAOI6/33YB/xve9WqXHs6L//1W7JKoLj72rphpVnG/RYxQgwXnn sVQHGHe8oG7j5oNHEHLUeaCeYLTzIMJB9n0eTFNQz9vYyzu1KFvGg0nSmI/EWmCrGofxdDce MP1GS7eEGr9EbNjGC8rHIoKOHu7gQdJwJhJyYlPOOx65ARW15kRpVEen2dxc8aUDruJOteA5 E7IWKeczzETZRx/EbYlAEQ9hC2Zbc78ek6tXKnbuvhOSf+XKaKJddmTuprOpHm8IZTdBqFMV BB4cFBVSGfIi0kR8HiixpH2V9Pudo3g+IMDPQOqDFhg5/OtsVk0ekSSrKxYFbeRiRsLGWqAV RsmpacyamS5DGXtRgkAUJh5PTjsybxj6oL85F9Geg7Q/1cY0tT9XB9s6wuZcp3ywKmdwBzdL xA+ymrK9rBO/IIjMX1iVOWv4phfc3pyknMgBPnnQiyGw6QYPkOG0zRXkNfVzUjKYUYKa+o5R cFXFj071VLnITT2NgryAGvJPL4y1uZzmjTWz8DHAavggpfIJgbuea2MhydqGmelIklUZXnC8 NyPT5iGkCG6n3XscjxSXavkAEQEAAYkEPgQYAQIACQUCUrjejQIbAgIpCRCwWjIA5uPxvsFd IAQZAQIABgUCUrjejQAKCRD0Mb/79hWmnlTbD/0TsuIvsLMR8x8gA7Ern6hSKhvOcO014pB6 U5STjHf1mOadV1SuqQYpwjO4lPkgHKsD6clISDzq0Vk1bUdXdfFv2B76W2iGIBCW2IMCaFjX HJZ/mCNZGo7B+hUJCK+RKzKeXRXGKiICqaXyLNa3S8B5ykFWSOD8/GcEWAs2MPd89fqGyYyX 2vPH0wS4ouo9CVQ0IprKoqpIMSDQvH/cnU8BoqKT90W5Z5VDzRwJCUnWMSxa28CcYS7uYG6K zejfRHnRqGmenPT+ZsaiKC752YDVBXrKV8AFw4YZfQCmLJtbexDgmMN8TUcNAxyRVn0mOkEc Jlx2MDSRjXeRrz/ndUm5ujpMEw2U1VzJWspkDVnhWFVpac3EA83N0FKMeLgHVCCARjhjddas fdXu/0xibgOFqRTbdF28GroVzXxCHGAkcsXrWRE9RLx4fP19+JRAIRs0V50APGZVNVKFMtNO nKCksysLSs8GUZeBXKj4T85a1JQQpHakzB3Guo5RihYnZqXcMjdivO4to+iwhNdWwJOZ09Bl 5U44BVvzAGjW2POcNwZUenxEOTHIB4jKKNuZ5hadv4gvMyfxhZ0i87iPaiFqlaOkF2K84qOW Yq4uo0NmaT5gd/7c+MNHHxFeoaeYm8d7zRkN9JWSa1ofoX3uITbyD+fewIyEI5eEmKzbgAtq 8rHID/41XROq9NryMCtoIdVPVHbpAeRj/qiesfLtPYtIjVdCHipf85ljHl2gJYYNr79wx5UH S+O1V/WVnMMKYhLHVabG8EPpVjwHS4IMiNxAA9eeiiUnQpCIfKbhqQZ17GxesZaligvLowf7 IdnlnOEhz0PALl97wDAROFmxK0JoBkzf8Uf4REbL02CNfF3GqsAkxAqbulnBByLkUhXcK0SN H7phd0T2DxI3OKuQ4+HcnBYtYvnlX35MM1euzcut9GP39EWz/j+4YHIZaX6UKdqTZQ5xWDvF ygE8KCb4/w0kMxJ8VhCgabxGeGVyqHAbp4pGLZwF7fzS6r8SApfwuKOAgxNbWIvLrqGTiT98 clg/bweIvkF1P0HS14aCJqtppiLGiebSI+xOe6XAiEl7VpdefM7hNTnzsB2G+m2e0wzUuvt4 3VF1e5TBMNPQ1Y3IsrkLim3JQUNk68MnqSnp1XmRU4+SaI3bDJpWtGbK7gU05P6Dc4b6C/IZ E0YB3tvtdLRDs0UCeXGVbtb49fGta57WqvVtJHEX3af2GpvBBbjeR8vyXH4jO4EChSiNhIfj /YEiBtYBwwDmGjk76aTwTTk4Ky6VZzLN7qDJ96YhEwtzV80BvszcQHZD9ksxpc328PkSgfaR 2XaSEu8Gu53jiXCIKBbeKAQRwbOHwhG23TY4DfK2wQ== =iM3E -----END PGP PUBLIC KEY BLOCK-----