Responsible Disclosure of Security Vulnerabilities
If you've discovered a security concern, please email us at email@example.com. Please be succinct: the mailbox is attended by security engineers and a short proof-of-concept link is more valuable than a video explaining the consequences of an XSS bug.
Please note, we do not offer financial compensation for your report.
Rules for investigating vulnerabilities
- When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Doorkeeper.
- Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may suspend your Doorkeeper account and ban your IP address.
- Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
- Don’t publicly disclose any vulnerabilities you find before we have resolved them.
What does not qualify for listing?
- Bugs that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.
- Insecure cookie settings for non-sensitive cookies.
- Disclosure of public information and information that does not present significant risk.
- Bugs in content/services that are not owned/operated by Doorkeeper.
- Vulnerabilities that Doorkeeper determines to be an accepted risk.
- Scripting or other automation and brute forcing of intended functionality.
Thanks for working with us!
Thank you for helping keep Doorkeeper secure. We really appreciate your help.
We especially appreciate the help from the following individuals who have worked with us to resolve flaws securely.
- Arvind Singh Shekhawat
- Daksh Patel
- Eliran Itzhak
- Imen Essoussi
- Jerold Camacho
- Jolan Saluria
- Manish Bhattacharya
- Rakesh Singh
- Ryota Hayashi
- Sai Charan Mukkamala
- SaifAllah benMassaoud
- Saneyuki Kanemaru
If you're someone who has helped us in the past and we've neglected to list you, we apologize. Please let us know.