You’ve found a security vulnerability in Pwnedkeys.com, a Pwnedkeys service, or software provided by Pwnedkeys? Nice one. This page tells you all about what happens next.

Our Philosophy

While we may have made the vulnerability, you found it, and the details of its existence are yours. We recognise that you can do with that knowledge as you please.

Since you’re reading this page, rather than just posting to fulldisclosure, the chances are you want to minimise the impact to Pwnedkeys’ users as much as we do. We appreciate this, and will work with you to do just that. However, we respect that you’re able to disclose or not, as you see fit, and will never ask (or worse, threaten!) you to suppress or otherwise limit what you can do with the vulnerability information. Please bear in mind, though, that this only applies to information about the vulnerability itself, not any data that the vulnerability exposes.

Safe Harbour

As long as you are acting in good faith, looking for vulnerabilities with the intention of disclosing them to Pwnedkeys or the general public, you’re in the clear. If we ever get a ToS or AUP, you can’t break them if you’re doing good faith bug hunting.

Recognition and Rewards

We’ll get this out of the way straight away: we don’t pay bug bounties, give schwag, or otherwise materially compensate those who find and report vulnerabilities. That’s not because we don’t want to, or respect the time and effort that goes into finding and reporting vulns. It’s simply that we don’t have the money to do so. If we get somehow get rich from running Pwnedkeys, well, we’ll probably become greedy plutocrats and still won’t pay meaningful bug bounties, but at least we won’t feel bad about it any more.

The best we can offer is our respect and gratitude, and public recognition of your achievement, if you wish it. By default, we will keep reporters anonymous. As always, disclosure is your call, not ours.

Process

  1. Send an email to security@pwnedkeys.com giving us enough information to be able to reproduce the vulnerability.

  2. We’ll try and confirm the vulnerability, and either let you know we’ve figured it out, or ask you for more information.

  3. Once we’ve got reproduction, we’ll let you know of a timeline for remediation.

  4. We’ll fix the problem, and everyone will go their separate ways, having made the Internet a better place for everyone.

Scope

Very short and sweet: if it’s under the pwnedkeys.com domain, or available from our GitHub org, then it’s “in scope”.

About the only thing we don’t think is security-relevant is volumetric DDoS attacks. We already know that with a big enough hammer you can break anything. That only applies to pipe-filling attacks, though – if you find something expensive to do that doesn’t have an effective rate limit on it, we’d like to know about that.

Guidelines

  • Don’t do anything that degrades the availability of the service for other users. If you accidentally take something down, please let us know ASAP so we can fix it. Bear in mind that we consider availability issues to be security-relevant, so you’ve found something worth reporting, even if it wasn’t what you intended to find.

  • Minimise exposure of user data. If you find something that discloses the data of our users, please let us know and delete the data.