In addition to the security testing we regularly conduct internally and hire third-parties to conduct for us, we occasionally have people report possible vulnerabilities.
This page outlines our procedures for those reports.
If you've discovered a security vulnerability, please do not share it publicly. Instead, we ask that you report it directly to us by emailing security [at] geocod.io and encrypt the message if necessary. Geocodio's PGP key can be found at https://www.geocod.io/pgp-key.txt.
Rules for you
- Avoid data deletion, unauthorized data access, and service disruption while testing the vulnerability you found.
- Do no attempt to access or modify data that does not belong to you.
- Do not execute, or attempt to execute, a Denial of Service (DoS) attack.
- Do not run any automated tools against our servers without prior permission.
- Kindly do not publicly share the issue details until we confirm that the vulnerability has been fixed.
- Do not attempt to blackmail us or try to sell us your security report.
When in doubt, contact us at email@example.com.
Rules for us
- We will not pursue any legal action against you if you obey the rules above.
- We will reply to all correctly submitted reports and we will work with you on fixing the issue.
- We will perform our own risk assessment for every reported vulnerability.
- If your report is not eligible, we will let you know the reason why.
- We will let you decide whether you want to be publicly acknowledged for your report.
Hall of Fame
For eligible reports, we can acknowledge your work by putting your name and (optionally) a link to your personal page on the list of security contributors below.
- We do not offer cash compensation for security reports at this time.
- For some eligible reports that we identify as particularly important, we may reward you with our branded stickers or a t-shirt. If you'd like to receive something from us, please share your mailing address with us after we have confirmed the eligibility of your report.
What does not qualify?