Thinkst welcomes bug reports and takes them seriously. Our primary reporting channel is security@thinkst.com, however, security bugs in our open-source software can also be reported on GitHub. We don't run a bug bounty for canarytokens.org, but we will send swag for fixable bugs and code contributions.

If you report a security bug we will request a CVE on your behalf and it will be acknowledged in a GitHub Advisory. Denial-of-Service bugs are reportable but please don’t test them on our production system.

Please make sure to include the following in your report:

1. Summary: Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
2. Details: Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
3. PoC: Complete instructions, including specific configuration details, to reproduce the vulnerability.
4. Impact: What kind of vulnerability is it? Who is impacted?