In addition to the security testing we regularly conduct internally and hire third-parties to conduct for us, we occasionally have people report possible vulnerabilities.
This page outlines our procedures for those reports.
If you've discovered a security vulnerability, please do not share it publicly. Instead, we ask that you report it directly to us by emailing security [at] geocod.io and encrypt the message if necessary. Geocodio's PGP key can be found at https://www.geocod.io/pgp-key.txt.
We're extremely grateful to the following people who have helped us improve the security of Geocodio.
Vulnerabilities to timing and DOS attacks.
Vulnerabilities that have been previously reported by another user.
Known vulnerabilities in the components of our technological stack reported within 48 hours since their public reveal.
Security issues only reproducible under highly unlikely conditions (including but not limited to: using outdated or exotic web browsers, operating systems, or insecure internet connections).
Security issues that rely on social engineering, spam, or physical security testing.
Bugs or functionality that prove that a tested email address exists in our database as well as the theoretical ability to brute-force such functionality.
Vulnerabilities that we determine to be an accepted risk, including but not limited to:
-all) on SPF records.
rejectrecord in DMARC.