Thinkst welcomes bug reports and takes them seriously. Our primary reporting channel is [email protected], however, security bugs in our open-source software can also be reported on GitHub. We don't run a bug bounty for canarytokens.org, but we will send swag for fixable bugs and code contributions.
If you report a security bug we will request a CVE on your behalf and it will be acknowledged in a GitHub Advisory. Denial-of-Service bugs are reportable but please don’t test them on our production system.
Please make sure to include the following in your report:
- Summary: Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
- Details: Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
- PoC: Complete instructions, including specific configuration details, to reproduce the vulnerability.
- Impact: What kind of vulnerability is it? Who is impacted?