Skip to content

Security: thinkst/canarytokens

SECURITY.md

Security Policy

Thinkst welcomes bug reports and takes them seriously. Our primary reporting channel is [email protected], however, security bugs in our open-source software can also be reported on GitHub. We don't run a bug bounty for canarytokens.org, but we will send swag for fixable bugs and code contributions.

If you report a security bug we will request a CVE on your behalf and it will be acknowledged in a GitHub Advisory. Denial-of-Service bugs are reportable but please don’t test them on our production system.

Please make sure to include the following in your report:

  1. Summary: Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
  2. Details: Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
  3. PoC: Complete instructions, including specific configuration details, to reproduce the vulnerability.
  4. Impact: What kind of vulnerability is it? Who is impacted?
Learn more about advisories related to thinkst/canarytokens in the GitHub Advisory Database