Please note that our Bug Bounty Program has been temporarily suspended.
Bug Bounty Program
We run a bug bounty program covering our flagship Dead Man's Switch (DMS) service.
If you think you have found a security vulnerability in Deadswitch, please report it
to us straight away. Please include detailed steps
to reproduce and a brief description of what the impact is.
We encourage
responsible disclosure (as described below), and we promise to investigate all
legitimate reports in a timely manner and fix any issues as
soon as we can.
Hall of Fame
The security researchers that have identified vulnerabilities in Deadswitch and contributed to our security by duly reporting them to us responsibly can be found in our Hall of Fame.
Responsible Disclosure Policy
We ask that during your research you make every effort to maintain the integrity of our users’ data, avoiding violating privacy or degrading our service. You must give us reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.
Bug Bounty
As a measure of our appreciation for security
researchers, we are happy to give full credit in any public postmortem after the bug has
been fixed, and we offer an exclusive Deadswitch hacker coin reward for certain qualifying
bugs.
To qualify for the bounty, you must:
- Follow our responsible disclosure policy (see above).
- Report the bug to us first, and give us reasonable time to fix the issue before making it public.
- Be the first person to report the issue to us.
- Use only an account that you control. Never interact with other accounts without the owner’s consent.
- Find a bug that could allow access to private user data, or enable access to a system running Deadswitch infrastructure.
Examples of valid vulnerability types include:
- Authentication or session management issues
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF/XSRF)
- Remote Code Execution
- Privilege Escalation
The decision of whether a report qualifies for a bounty is solely at the discretion of Deadswitch. The exact reward offered will be determined by our security team after taking into account the severity of the vulnerability, the number of users potentially affected etc.
Exclusions
Some security elements are excluded from the
scope of our program.
These are subject but not limited to:
- Non-technical attacks such as social engineering, phishing, or physical attacks against our staff, users, or infrastructure.
- Attempts to brute force access to any areas requiring authentication.
- Anything related to enumeration of usernames does not qualify.
- Outdated software/library versions.
- DMARC, DKIM and SPF related issues.
- Insecure settings in non-sensitive cookies.
- Missing HTTP headers, unless a vulnerability can be demonstrated.
- Bugs related to unpatched, out of date, or exceedingly rarely used browsers or other client software out of our control.
- Clickjacking on pages with no sensitive actions.
- Reports about “leakage” of the fact we run nginx, or the version number, or Perl module names or file paths.
PGP
If you have a particularly sensitive disclosure to make, please encrypt
the details of the vulnerability using our PGP public key and email us at: 
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: OpenPGP.js v4.6.2 Comment: https://openpgpjs.org xsFNBF249AEBEACTQebt9uzVHW071G0We8Z+Ic1cBO94fHHnzIi0h2ahHOzf AcXotVYIQvxNxD1I0HRw4v0L3+SL4J2/PryUuit5tfVgrYAJnmqcR3eIBXD+ 1lUMK+3LB+uaregKDI+i0yIwlnkxK5rOctM8q1GkTBe+OVfo5Tvy02+WM3/Z CfupKAIq+K2F3V7SEkPt/QiCggOToSxyBd3spisFOHDZ0iSgkOonxn7jsPeI 32vgAHQrWY7LcHmWI/WyxNcx+UNFGpsYbiusIOeRk94cP+PkqV0HI+FA0NN4 b1/5OAINbBkpFYW6YfT5U3tQQdlmVJmlIz2Jc9I1YGejkg40ADVOX6U/0rGC yfvLZNBZGOk1yBOvi5smLN6hUYzRnQTMVWceEf79yeuX0rsSUeXVwLfwiaYA dUoi6RjQ/aVOC8sd3Q3LvpG2aG+ulX6K3Oxdq4dA+x7OPhhXqbH/LxrAa5Bh uJ8/CJApcgX0Mnw/lv6h+GCs3vmy2wPJDgAvE4TPNTNjqtXTcVkOz0XMJefe IuvTtHB7hCPJ8IiENCF4iEwNQV39rtWdipCNsVubJNOJ3n+5BJet1VkYmrkU oEqlh3Tk7hLWwVvVDI1GoeTnptXgWECloveM27snYffMKsqe85mkRXigArqh mIZZUDUpppgNWbfA3i2MAg5TDSjpf9MS3HFsbQARAQABzTFzZWN1cml0eUBk ZWFkc3dpdGNoLmNvbSA8c2VjdXJpdHlAZGVhZHN3aXRjaC5jb20+wsF1BBAB CAAfBQJduPQBBgsJBwgDAgQVCAoCAxYCAQIZAQIbAwIeAQAKCRCuFWefHULf 1BwBD/9ulqfzsOchc1ugrvdv6V9iwx1AWTZmQ4rUKzxg3S7qKagVjfcTYbxp 5U+9qc/uvhd9pUNtyyfFm/LzEHra2FJ3ZQIdOgTwp1+0H9F4NLx8h3wBgcgk JbWL7Mzh8wEQAIFONtCfg5RYDvhp48jahJulS1aG2rpnOaUFQ9zXfZsGkSUO hNmhu5nbyn8M6MD/SyLxtfI1VAzYQnPNSFXp+Fe0Xm5hT6oemaJwm9JIQTv9 E9luyf1woWKOxAGdt4VYURVMosrTOVCxW1Y7NoQSAwC4UHBWU5LND6W6rCg6 01QFppqpjRKxZC/IzIClB1GnarQXukaTTZoL9tzOlyewxKaStwVAS6I2zISP ST/0B9otbkbezqAEtkbiw8x7NVSIDZSJwvgYONmdMPqg/h+UibQUCUFtPebP xzszRK0S33RQlrs+0NqZlJNlMio13EY5uq4KXFOTMyvdkUJ85z/7G/TY//zv bO/y4oEmMxkPdXkUIMbX/2l7WL6NUCCvCbqF5ZeG57GnQ/vXZUnhxyTxsiuw sTvAaBWxjt1HQoH9DiOAySSuME7cg3PLtwpVLFYcQE39x0qsm0YtN775XYgd zF9bLs8DLNMbm5Td3X+B9gEa6aHln9QCZi2EJXaddC9jk/AnEfkp8G2nIrL8 mEKelcwhxODN1VVGMRhLXf6fkpQdZM7BTQRduPQBARAAzLCKBNUCSzz0IzT7 JyPRpdEuDT3jCXKsoa5QJTfmTbOaIi7pJSssRI2o+cZJHdMZTQCohiDy2/HB YgAhDMCgcail0vGeUI20l2iaxJUvIBJLpCNNJT4+q+RM6XE3o80ZK0KqXwlQ tEZlhprm25zvktPVVn3OHbaJu4+Hrm938/3h1T7MDUeS40i39Dw0TKGPlP6X cSJcTtJIVecYooL6qOdyZnVqOmxrhra7qOxpCErr7ffnYLNCB+10gYim+v6i pb8dPu+ovWTWRomw04rndtndoYNtb4qRmLBvpOlct0JhhpYTannpilUOXsJC /9GjoqPVEfZiU6JwtQxHXJFskrZ4k0yy1w9oF9GUdaIYj9bIg392FmPZYp7z RYUpYT1QFFYhsKC+vzLhP52UPlRpB4j4RWTGHQqYdutVKCxzU5wzMuMRI5Yu zup/q8/bQKmhHkjRDph8vyr3+tfQUZ5VPlZvJBsQpLvTj5UVwk0a6crKAL5i iKIvGozzLd6pfHU80Y59SjCp6ht+bT9Tv8hRzgRR2SK8VvMvd7Yd4j0iia3V qFn6TNt5kZT1uhWWQdXtNWaI3gqSiqhlZMfgDEaXe2yrpbvjU4np3g/cOgTg NxmVrxyzwqYY6SWVqThzjNrlronRImjI4uTp9Gsquq/dkuymLW5whNc9no36 BshJ1lUAEQEAAcLBXwQYAQgACQUCXbj0AQIbDAAKCRCuFWefHULf1DMED/0X 83trcQPeYgS70Ygo4HsGxzlJVTjmxy3o0m38qH6vkVUaoTOrGIm9kMXl99Tj DdP1sX2CODcwZJ+pko+0F8OG/kq/fKc6npcm78NJwJhruBTAP5F56iaU1ZG5 kU8fPP36qYtQwLwjeWTookPnKL2u/ymWjo/fkn6jSFUoie8JKhoD/nTc8NMP vxGV3geV+YI9XHqLxj3/k29DrGnJEEjJHmqNSIzLpfP/y7Nxs71Z5RZVuC3W r+70qWFWAQIgcI7QLjbzCY5dgCctQHpCCB9A/6/wP6hmRzaDzGFFSIlUe/dM OPHXXj/EnYCiZXE5Lpr37cL49mHwBDaErcy7sFLX8anJqr8GAZWzDxBxgOtn UxuiC8lMK0FjgcVciWjXI9E430L1Q05Xfpu1LiFoTLL5z7GZKN176bil2/aT mJLjoxGI4Hzlqb+if7wwW0dTeQkP6CrqECTYQZcZjgTQQ5JjJdBJnY8NRhJ3 XkhOVtg5ul47SUmnzwBJQ9vdUyqOtCOtcPaTNwK8aolBcJInvYxFXRTb2DIX y052a3J+wOt+CQyoIDTMh8EscddxwCB7lMi9a6u1yMia+LbOdy0tgb8Yit2v y4tlIM5BAupehg5dVaJByblpEKNEspdql3RLvenD0bkTYC9sYy2mVK878k5b CUKiFUiEE0ryQYH6awi3+w== =Ac2K -----END PGP PUBLIC KEY BLOCK-----