Responsible disclosure

Last updated: 5 June 2026 · PGP key fingerprint listed below.

We take the security of VeraDNS — the website, the Platform and our infrastructure — seriously. If you believe you have discovered a vulnerability, we'd like to hear from you and will work with you to validate and remediate it.

How to report

Email security@veradns.io with:

• A clear description of the issue and its security impact.
• Steps to reproduce (proof-of-concept code is welcome but never required against production systems other than the scope listed below).
• The affected URL, version, or component.
• Your name / handle for acknowledgement (optional — anonymous reports accepted).

If the content is sensitive, encrypt with our PGP key. Fingerprint:

0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 (placeholder — final key published at launch).

Scope

In-scope:

• veradns.io (marketing site)
• app.veradns.io staging endpoints (when announced)
• Official container images published under ghcr.io/veradns/*

Out-of-scope:

• Customer-operated deployments (these are the customer's responsibility).
• Findings on third-party services we use (report to the vendor directly).
• Rate-limit / brute-force findings without demonstrated impact.
• Self-XSS, missing best-practice headers without exploitable impact, "best-practice" reports without evidence.
• Vulnerabilities in retired or unsupported versions.

Rules of engagement (safe harbour)

While you are acting in good faith and within this policy, we will not take legal action against you and will treat the report as authorised security research. You agree to:

• Not access or modify data that is not yours.
• Not run automated scanners against production without prior written consent.
• Stop testing and notify us immediately if you encounter user data.
• Keep the issue confidential until we agree on a public-disclosure timeline (typically 90 days, sooner if a fix ships earlier).
• Not exploit beyond what is necessary to demonstrate the issue.

What we commit to

• Acknowledge within 2 business days.
• Initial triage and severity assessment within 7 days.
• Regular status updates at least every 14 days until resolution.
• Public credit (with your consent) once the issue is fixed.

Bounties

VeraDNS does not currently operate a paid bounty programme. We award swag and Hall-of-Fame credit. A paid programme is planned post-GA.

Hall of fame

We thank the following researchers for responsible disclosures. (List will appear here once the first report is resolved.)

← Back to home